Worth reading, including the end where Jonathan expands on his earlier post.
-----Original Message----- From: Jonathan E. Paton [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 29, 2002 1:32 PM To: Collins, Joe (EDSIBDR) Subject: RE: Comparing strings | > Don't know if this helps, but the following code | > | > $one = "ExamPle"; | > $two = "example"; | > | > if ($one=~/$two/i) { | > print "true "; | > } | > | | This is a bad idea for anything other than throwaway | scripts... it requires building a full regex everytime | (from $two). You *MUST* use quotemeta() on $two to make | it safe, other any regex characters will apply - which is | VERY UNSAFE. | | Perl might be fast, but best not making it work harder | than is needed. | | Unsafe, why? | ------------ | | What if $two contained: | | "((((.*)*)*)*)*a$" | | that has exponential runtime :( | | BUT, what if $two contained: | | "?{system('rm -rf /')}" | | that'd REALLY wreak your day - as you reach for the most | recent backup tapes... | | Jonathan Paton | > > Hi Jonathan, > > Very interesting reply and it opened my eyes(!)....scary stuff. > > Kindly explain a bit before I write some PERL/CGI code > and have a user fill in a field that I do a regexp > on and wipe out my web hosting site!! > You should be very, very scared indeed. If you are doing CGI you do need to take a lot more care. Taint mode is helpful when you wish to strengthen your code. I'd read the relevent security chapters a few times over, it is quite enlightening. perldoc perlsec Also, do get your code checked out by peers... it's amazing what others can spot that you didn't know. If you don't have anyone then email it to the list (if small or complex) or myself (if big). I quite enjoy pointing out subtle problems/issues when reviewing code ;) > > I write because I tried what you did (changing the rm etc!!) and > it doesn't work, i.e. I tried this for $two on perl v5.6.0 > on my PC platform and it does not create junk.txt as I think > it should. I also do not find the ? command in my perl books. > perldoc perlre > > $two="?{system 'echo hello world > junk.txt'}" > Okay, I've just tested this one. I haven't been telling the whole truth it seems! This *WILL ONLY* be executed in a use re 'eval' scope - which gives you some security from it. The other problem kind I showed still causes it's grief without this. Just remember that someday, someone *could* put that statement in. You need to place () around the ?{} block, by the way. > > (I am somewhat of a newbie, using perl every day since mid > September 2001 to process and compare large text files and fields > therein). > I was a paid summer student starting just two months earlier, for a period of 12 weeks... however, I had/have plenty of time to dig into the interesting things. Jonathan Paton __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
