Case Sensitive Regex

Discussion in 'Perl Misc' started by Robert, Oct 18, 2005.

  1. Robert

    Robert Guest


    I am trying to secure my mailer script from those who might try to hijack it
    by adding "To:" etc fields in the form fields.
    Currently I am using this:

    my $name = param('name');
    if ($name =~ /To:/) { &spamattempt; }
    if ($name =~ /to:/) { &spamattempt; }

    Basically if the "name" fields contains either an upper or lower case To or
    to the script will direct to a subroutine where the process is terminated.
    This all works fine. My Question ... is there an easier way to write the
    regex above that looks for To:/to: etc? I was thinking maybe it could be
    done with a single regex where is searches for either an upper or lower case
    T or O followed by a : I did some research on regex case sensitivity and
    found that the "i" operator is needed but couldn't make it work. Thanx all
    in advance.

    Robert, Oct 18, 2005
    1. Advertisements

  2. Robert

    Robert Guest

    Year ok, I feel stupid:

    if ($name =~ /To:/i) { &spamattempt; }

    Robert, Oct 18, 2005
    1. Advertisements

  3. How could you not make it work? Please post a short but complete script,
    that people can copy and run, and that illustrates the issue.
    ( /to:/i should do what you want. )

    OTOH, I'd think that a simpler and safer way to prevent that kind of
    abuse is to ensure that none of the email header fields includes linebreaks.

    $name =~ s/\s+/ /g;
    Gunnar Hjalmarsson, Oct 18, 2005
  4. Robert

    John Bokma Guest

    Much better is to define what exactly is allowed v.s. to think up bad
    cases, and check for those.
    Why do you use & in front of the sub?
    John Bokma, Oct 18, 2005
  5. Robert

    Dave Weaver Guest


    Normally you call subroutines like this:


    Using the '&' on a subroute call has side effects that, if you don't
    know what they are, you don't want.

    Your whole line is, IMHO, better written as:

    spamattempt() if $name =~ /To:/i;
    Dave Weaver, Oct 18, 2005
  6. Robert

    John Bokma Guest


    $name =~ /To:/i and we_have_a_spam_attempt();
    John Bokma, Oct 18, 2005
  7. Sometimes that's better.

    As regards a name field: Don't think so.
    Gunnar Hjalmarsson, Oct 18, 2005
  8. Robert

    Brian Wakem Guest

    Case insensitive regexs are very slow. I try to use index where
    possible, with a case modifier, which when I last did some benching on
    this issue was 6 times faster than a regex on my test machine IIRC.

    spamattempt() if (index(lc $name, 'to:') != -1);
    Brian Wakem, Oct 18, 2005
  9. Robert

    Joe Smith Guest

    A floating regex can be slow, but I expect the anchored regex
    if ($name =~ /^To:/i) { spamattempt(); }
    to be on par with index().
    Joe Smith, Oct 18, 2005
  10. Robert

    John Bokma Guest

    I think it's not that hard to come up with a nice definition of what is
    allowed in a name, even when unicode is allowed. It's a bit harder if
    handles/nicks, etc are allowed, since then stuff like [email protected]><0r could be a
    "name", but even then :)
    John Bokma, Oct 18, 2005
  11. Even if it would be _possible_, how on earth could it be _better_ if the
    purpose is to prevent abusers from adding extra mail headers?

    Gunnar Hjalmarsson, Oct 18, 2005
  12. Robert

    John Bokma Guest

    Even if all possible exploits is a subset of all invalid names, I would
    prefer to deny all invalid names over all possible exploits.
    John Bokma, Oct 18, 2005

  13. Then you should have taint checking turned on.

    perldoc perlsec
    Tad McClellan, Oct 20, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.