web commit by WillThompson: Safety of arbitrary regexen
www-data
parent
98eb183cf7
commit
13722d7b76
|
|
@ -13,6 +13,24 @@ Should support mail notification of new and changed pages.
|
||||||
Joey points out that this is actually a security hole, because Perl
|
Joey points out that this is actually a security hole, because Perl
|
||||||
regexes let you embed (arbitrary?) Perl expressions inside them. Yuck!
|
regexes let you embed (arbitrary?) Perl expressions inside them. Yuck!
|
||||||
|
|
||||||
|
(This is not actually true unless you "use re 'eval';", without which
|
||||||
|
(?{ code }) is disabled for expressions which interpolate variables.
|
||||||
|
See perldoc re, second paragraph of DESCRIPTION. It's a little iffy
|
||||||
|
to allow arbitrary regexen, since it's fairly easy to craft a regular
|
||||||
|
expression that takes unbounded time to run, but this can be avoided
|
||||||
|
with the use of alarm to add a time limit. Something like
|
||||||
|
|
||||||
|
eval { # catches invalid regexen
|
||||||
|
no re 'eval'; # to be sure
|
||||||
|
local $SIG{ALRM} = sub { die };
|
||||||
|
alarm(1);
|
||||||
|
... stuff involving m/$some_random_variable/ ...
|
||||||
|
alarm(0);
|
||||||
|
};
|
||||||
|
if ($@) { ... handle the error ... }
|
||||||
|
|
||||||
|
should be safe. --[[WillThompson]])
|
||||||
|
|
||||||
It would also be good to be able to subscribe to all pages except discussion pages or the SandBox: `* !*/discussion !sandobx`, maybe --[[Joey]]
|
It would also be good to be able to subscribe to all pages except discussion pages or the SandBox: `* !*/discussion !sandobx`, maybe --[[Joey]]
|
||||||
|
|
||||||
3. Of course if you do that, you want to have form processing on the user
|
3. Of course if you do that, you want to have form processing on the user
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue