Date: Sat, 29 Sep 2001 15:15:35 -0400
From: Benjamin Goldberg <goldbb2@earthlink.net>
Subject: Re: Security of letting user specify regex in CGI script?
Message-Id: <3BB61DD7.BEE850E0@earthlink.net>

Jay McGavren wrote:
> 
> > I think Text::Query goes in the right direction, though I haven't
> > tried it myself.
> 
> Aha!  It looks perfect!
> 
> > BTW there's no need to create one regex of it. After all, perl knows
> > eval, so it's easy to create a sub that checks if a string matches
> > your requirements. For example, "a and (b or c)" can be converted to
> >
> >       $query = eval "sub { /\ba\b/ and (/\bb\b/ or /\bc\b/ }";
> 
> True, but letting the user specify any portion of an eval gives me the
> jitters.

The solution then is to either not do that, or to use quotemeta:

my $query = "a and (b or c)";
my @words = split /((?:\s*(?:[()]|\band\b|\bor\b)\s*)+)/, $query;
my $eval = "";
for my $i ( 0 .. $#words ) {
	if( $i & 1 ) {
		$eval .= $words[$i]; # (, ), and, or or.
	} else {
		#$eval .= ' m[\b$words[' . $i . ']\b] ';
		#produces eval 'sub { m[\b$words[0]\b] and ( ...';
		$eval .= " m[\\b\Q$words[$i]\E\\b] ";
	}
}
my $query = eval "sub {$eval}";

Surrounding the literal sections in \Q\E should make it safe to eval.

-- 
"I think not," said Descartes, and promptly disappeared.