Perl5 Regexps are insecure

Martijn Koster (m.koster@nexor.co.uk)
Tue, 15 Nov 1994 07:42:06 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Brent Halliburton: "MOMspider & the library"
Previous message: Bill Maloy: "hostname.pl enhancement"

Hello Perl Webbers,

Some of you have probably realised/read this, but for those who, 
like me, didn't:

In Perl4, once you put a string inside a m// it could be quite safe.

In Perl5 they need not be (even without using any extensions). Randal
happily managed to execute some of his Perl code on my web server
through a Perl5-regexp supporting search engine. According to my logs
nobody else tried this (thank goodness no-one understands Perl5 :-).

Bummer, because Perl5 regexps are even nicer than Perl4 regexps. For
now I have disabled all Perl5 regexps in CGI scripts on my system, but
I do hope this gets sorted soon. Any hints will be appreciated.

Cheers,

-- Martijn (still shaking :-)
__________
Internet: m.koster@nexor.co.uk
X-400: C=GB; A= ; P=Nexor; O=Nexor; S=koster; I=M
X-500: c=GB@o=NEXOR Ltd@cn=Martijn Koster
WWW: http://web.nexor.co.uk/mak/mak.html

Next message: Brent Halliburton: "MOMspider & the library"
Previous message: Bill Maloy: "hostname.pl enhancement"