regex-verfier cgi - dont want to use system or backticks

T

TechCrazy

I am writing a cgi script which will accept a regex(perl syntax) and a
string and it has to determine if the regex can generate the string.
This is what I came up with but it uses a system() on tainted data and
is not very safe against quotes. How do I get around this. Thanks a
lot, gurus.

my $text_to_be_matched = $cgi->param("text_to_be_matched") ;
my $regex = $cgi->param("regex") ;
my $cmd = "/opt/third-party/bin/perl -e \"
if (\'$text_to_be_matched\' =~ m/$regex/) {
print \'$text_to_be_matched matches $regex\' ;
}
else {
print \'$text_to_be_matched does not match
$regex\' ;
}
\"
";

print $cmd ;
system($cmd);
 
F

Fabian Pilkowski

* TechCrazy said:
I am writing a cgi script which will accept a regex(perl syntax) and a
string and it has to determine if the regex can generate the string.
This is what I came up with but it uses a system() on tainted data and
is not very safe against quotes. How do I get around this. Thanks a
lot, gurus.

my $text_to_be_matched = $cgi->param("text_to_be_matched") ;
my $regex = $cgi->param("regex") ;
my $cmd = "/opt/third-party/bin/perl -e \"
if (\'$text_to_be_matched\' =~ m/$regex/) {
print \'$text_to_be_matched matches $regex\' ;
}
else {
print \'$text_to_be_matched does not match $regex\' ;
}
\"
";
print $cmd ;
system($cmd);
Click to expand...

You want do this without system()? Nothing more simply than that. Just
omit the system() ... ;-)

my $text_to_be_matched = $cgi->param("text_to_be_matched") ;
my $regex = $cgi->param("regex") ;
if ( $text_to_be_matched =~ m/$regex/ ) {
print "$text_to_be_matched matches $regex";
}
else {
print "$text_to_be_matched does not match $regex";
}

Is that what you want?

But be aware, it is also possible to call your script with an evil
$regex, e.g. by using the (?{...}) construct. Sure, you could call
quotemeta() first, but then its more like a string than a pattern.

Perhaps anyone else has a good idea to avoid evil patterns -- but I
think it's not as easy as it seems.

regards,
fabian
 
B

Brian McCauley

Fabian said:
my $text_to_be_matched = $cgi->param("text_to_be_matched") ;
my $regex = $cgi->param("regex") ;
if ( $text_to_be_matched =~ m/$regex/ ) {
print "$text_to_be_matched matches $regex";
}
else {
print "$text_to_be_matched does not match $regex";
}

Is that what you want?

But be aware, it is also possible to call your script with an evil
$regex, e.g. by using the (?{...}) construct.
Click to expand...

Be aware that this is untrue.

The compilation of the (?{...}) construct is disabled by default in
regexes that include interpolated variables.

To use (?{...}) in an interpolated regex you need to "use re 'eval'" or
precomple the (?{...}) components using qr// then interpolate them.
 
F

Fabian Pilkowski

* Brian McCauley said:
Be aware that this is untrue.

The compilation of the (?{...}) construct is disabled by default in
regexes that include interpolated variables.

To use (?{...}) in an interpolated regex you need to "use re 'eval'" or
precomple the (?{...}) components using qr// then interpolate them.
Click to expand...

I'd read this in perldoc at sometime (and also discussed this in some
other threads a long time ago) but didn't thought about this here.

thanks for your correction,
fabian
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

New to Perl - strange behaviour with backticks 2
FAQ 6.9 How can I quote a variable to use in a regex? 10
How to debug a regex with (?DEFINE)? 0
A nice way to use regex for complicate parsing 3
backticks with threads or forks hang program 1
Regex to match a numerical IP range 7
Complex regex question 1
Odd regex behavior 9

Members online

No members online now.
Total: 80 (members: 0, guests: 80)
Robots: 407

Forum statistics

Threads
473,992
Messages
2,570,220
Members
46,805
Latest member
ClydeHeld1

Latest Threads

Top