Vulnerability Development mailing list archives
Re: execution inside of Perl reg ex?
From: Pascal Bouchareine <pb () T-ONLINE FR>
Date: Thu, 4 Jan 2001 18:08:46 +0100
well, i'm certainly wrong on some points but i came to the following point of view (which i'd love you to clarify if i misunderstood some facts) IMHO, perl first evals any special chars (backquotes and the like), interprets your line, and once it knows exactly what to do with your input line, expands scalars and variables. Thus, meta-characters and backquotes are not interpreted, since the interpreter looked for them before the $variable expansion. If your line is a function call, and this functions has character conventions with special meanings (such as open() and |, or (?{}) in a regexp for example), this gets dangerous. Perl changed this, as Cypher stated, it would give : Eval-group not allowed at runtime, use re 'eval' at ./test.pl line 12. Another way to see this point is evaluated code. If you happen to feed a script interpreter with user input (such as ``/system() or eval(), which is a perl interpreter inside the perl interpreter), then it gets dangerous. Another last point may be twice-evaluated things. For example, with double calls to uncgi(), where %250d is "magically" translated to %0d. So: $n =~ /$user_input/ isn't sound dangerous yet (we didn't find any // bug, for now :), but may be one day.. This is also true with script-shells in CGI: #!/bin/sh ## echo $INPUT_STRING Isn't tricked with "first-layer (the shell)" meta-characters, since it will look for them before expanding $INPUT_STRING, but could be if the "second-layer (echo)" had special interpretation of some characters or if a bug was discovered in echo. User input should be trusted as much as you trust your scripting languages and sub-layers : i choose not to trust it at all. \Q \E is safe (for the moment) and is supplied as a "don't trust it" keyword for perl. Sounds really better than nothing. On Wed, Jan 03, 2001 at 10:34:18AM +0000, sporty o'one wrote:
this is exactly the reason for \Q\E so \Q$this\E is safeAs an operator, Perl will shell any command you put inside back quotes and return the result of the shelled command. I assume this would work inside a regular expression, but I haven't tried.
-- Kalou. .ascii "T[fhBOfXf5B@f1ChjAX4APPZHf1Chfh/xh/tmpT[RSTYjOX4D2p"
Current thread:
- Re: execution inside of Perl reg ex? sporty o'one (Jan 04)
- Re: execution inside of Perl reg ex? Pascal Bouchareine (Jan 05)
- Re: execution inside of Perl reg ex? rpc (Jan 05)
- Re: execution inside of Perl reg ex? Pascal Bouchareine (Jan 05)