M
Matthew Braid
Hi all,
OK, first off - the perldocs for RE's make my head hurt
I'm writing a formatter package that basically has a little language of its own
to allow joombie users format their own stuff without bothering me....
One of the formatter 'tags' allows the use of a regular expression (in a
slightly stunted fashion), however I want to ensure no code execution is performed.
RE's are specified like:
find /RE/, REFLAGS
REFLAGS can be a string containing 'ismx' - anything else causes an error.
RE is a (duh) regular expression. This is split into RE strings (for instance
'^[a-z]\Q$FOO\E') and variables (for instance $FOO, @BAR etc).
The variable handling is done - that was pretty easy.
Technically the RE handling is pretty easy too - I could just rebuild it by
evaluating the variables and plonking it all back together, eg
store $BAR, 'BAR[]!'
find /^[a-z](\Q$FOO\E$BAR)\z/, 'is', FIELD
=> RE is split into '^[a-z](\Q$FOO\E', $BAR, ')\z';
=> $BAR evaluates to 'BAR[]!' -> quote it with '\QBAR[]!\E';
=> $RE is built into '(?is:^[a-z](\Q$FOO\E\QBAR[]!\E)\z)';
$FIELD =~ $re;
etc etc... (obviously done so that it actually works....)
The problem here is if the user does something like:
find /(?{system('rm -rf /')})/, '', FIELD
This is obviously not something I want to run. Is there a simple thing I can do
to stop RE's from ever executing inline code, or do I have to add checks for
this to my RE parser?
MB
OK, first off - the perldocs for RE's make my head hurt
I'm writing a formatter package that basically has a little language of its own
to allow joombie users format their own stuff without bothering me....
One of the formatter 'tags' allows the use of a regular expression (in a
slightly stunted fashion), however I want to ensure no code execution is performed.
RE's are specified like:
find /RE/, REFLAGS
REFLAGS can be a string containing 'ismx' - anything else causes an error.
RE is a (duh) regular expression. This is split into RE strings (for instance
'^[a-z]\Q$FOO\E') and variables (for instance $FOO, @BAR etc).
The variable handling is done - that was pretty easy.
Technically the RE handling is pretty easy too - I could just rebuild it by
evaluating the variables and plonking it all back together, eg
store $BAR, 'BAR[]!'
find /^[a-z](\Q$FOO\E$BAR)\z/, 'is', FIELD
=> RE is split into '^[a-z](\Q$FOO\E', $BAR, ')\z';
=> $BAR evaluates to 'BAR[]!' -> quote it with '\QBAR[]!\E';
=> $RE is built into '(?is:^[a-z](\Q$FOO\E\QBAR[]!\E)\z)';
$FIELD =~ $re;
etc etc... (obviously done so that it actually works....)
The problem here is if the user does something like:
find /(?{system('rm -rf /')})/, '', FIELD
This is obviously not something I want to run. Is there a simple thing I can do
to stop RE's from ever executing inline code, or do I have to add checks for
this to my RE parser?
MB