Case Sensitive Regex

Discussion in 'Perl Misc' started by Robert, Oct 18, 2005.

  1. Robert

    Robert Guest

    Hello,

    I am trying to secure my mailer script from those who might try to hijack it
    by adding "To:" etc fields in the form fields.
    Currently I am using this:

    my $name = param('name');
    if ($name =~ /To:/) { &spamattempt; }
    if ($name =~ /to:/) { &spamattempt; }

    Basically if the "name" fields contains either an upper or lower case To or
    to the script will direct to a subroutine where the process is terminated.
    This all works fine. My Question ... is there an easier way to write the
    regex above that looks for To:/to: etc? I was thinking maybe it could be
    done with a single regex where is searches for either an upper or lower case
    T or O followed by a : I did some research on regex case sensitivity and
    found that the "i" operator is needed but couldn't make it work. Thanx all
    in advance.

    Robert
     
    Robert, Oct 18, 2005
    #1
    1. Advertisements

  2. Robert

    Robert Guest

    Year ok, I feel stupid:

    if ($name =~ /To:/i) { &spamattempt; }

    Robert
     
    Robert, Oct 18, 2005
    #2
    1. Advertisements

  3. How could you not make it work? Please post a short but complete script,
    that people can copy and run, and that illustrates the issue.
    ( /to:/i should do what you want. )

    OTOH, I'd think that a simpler and safer way to prevent that kind of
    abuse is to ensure that none of the email header fields includes linebreaks.

    $name =~ s/\s+/ /g;
     
    Gunnar Hjalmarsson, Oct 18, 2005
    #3
  4. Robert

    John Bokma Guest


    Much better is to define what exactly is allowed v.s. to think up bad
    cases, and check for those.
    Why do you use & in front of the sub?
     
    John Bokma, Oct 18, 2005
    #4
  5. Robert

    Dave Weaver Guest

    --------------------------^

    Normally you call subroutines like this:

    spamattempt();

    Using the '&' on a subroute call has side effects that, if you don't
    know what they are, you don't want.

    Your whole line is, IMHO, better written as:

    spamattempt() if $name =~ /To:/i;
     
    Dave Weaver, Oct 18, 2005
    #5
  6. Robert

    John Bokma Guest

    or

    $name =~ /To:/i and we_have_a_spam_attempt();
     
    John Bokma, Oct 18, 2005
    #6
  7. Sometimes that's better.

    As regards a name field: Don't think so.
     
    Gunnar Hjalmarsson, Oct 18, 2005
    #7
  8. Robert

    Brian Wakem Guest


    Case insensitive regexs are very slow. I try to use index where
    possible, with a case modifier, which when I last did some benching on
    this issue was 6 times faster than a regex on my test machine IIRC.


    spamattempt() if (index(lc $name, 'to:') != -1);
     
    Brian Wakem, Oct 18, 2005
    #8
  9. Robert

    Joe Smith Guest

    A floating regex can be slow, but I expect the anchored regex
    if ($name =~ /^To:/i) { spamattempt(); }
    to be on par with index().
    -Joe
     
    Joe Smith, Oct 18, 2005
    #9
  10. Robert

    John Bokma Guest

    I think it's not that hard to come up with a nice definition of what is
    allowed in a name, even when unicode is allowed. It's a bit harder if
    handles/nicks, etc are allowed, since then stuff like [email protected]><0r could be a
    "name", but even then :)
     
    John Bokma, Oct 18, 2005
    #10
  11. Even if it would be _possible_, how on earth could it be _better_ if the
    purpose is to prevent abusers from adding extra mail headers?

    See http://groups.google.com/group/comp.lang.perl.misc/msg/02a2892e2f4705ef
     
    Gunnar Hjalmarsson, Oct 18, 2005
    #11
  12. Robert

    John Bokma Guest

    Even if all possible exploits is a subset of all invalid names, I would
    prefer to deny all invalid names over all possible exploits.
     
    John Bokma, Oct 18, 2005
    #12

  13. Then you should have taint checking turned on.

    perldoc perlsec
     
    Tad McClellan, Oct 20, 2005
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.