[2027] in Perl-Users-Digest
security question with regexps
daemon@ATHENA.MIT.EDU (Calvin Clark)
Fri Jun 18 22:21:49 1993
Date: Fri, 18 Jun 93 22:18:55 -0400
From: Calvin Clark <ckclark@mit.edu>
To: perl-users@athena.mit.edu
Dear Perl Gurus,
I'm going to write an addon in perl to use with the SIPB WWW Plexus
server, that will allow people to search the MITSFS Pinkdex for
titles/authors for works in the MITSFS libarary. I want to allow people
to do regular expression searches as well as string searches. My
question is this:
If I allow a person to specify an arbitrary regular expression and
I match it against lines in the database, can they spoof me and execute
arbitrary commands? I'm not worried about wiseguys who specify
pathological regular expressions that will take forever to match---I'll
just time them out---but I am concerned about people clever enough to
sieze control though some twisted use of a regexp.
-Calvin
