Front page | perl.perl5.porters |
Postings from October 2003
attached patch has 2 new tests -
1st appears to show that the -V:<regex> construct is safe from abuses like
-V:(?{system 'rm -rf /'})
the 2nd exhibits a regex parse problem I cant fathom.
ok 24 - regex protected against cmdline DOS
# /usr/local/bin/perl "-I../lib" '-V:abuse.*(?{print qq{Danger Will
Robinson!}})'
Sequence (?{...}) not terminated or not {}-balanced in regex; marked by
<-- HERE in m/^abuse.*(?{ <-- HERE print=/ at ../lib/Config.pm line 1244.
Attempt to free unreferenced scalar.
res:
not ok 25 - paranoid taint # TODO borked due to quoting errors, or
something else ??
# Failed at t/run/switches.t.new line 246
# got ''
# expected /(?-xism:)/
I saw various regex Sequence tests, but they dont help me see why mine
is failing.
ext/re/re_comp.c: vFAIL("Sequence (?{...}) not terminated or
not {}-balanc
the patch also contains a commented out test - for an embedding-friendly
flavor
of -V:ccflags: that I sent some weeks ago (9/24). While Yitzchak
liked it,
Robin also offered a nearby patch, that AMS didnt like.
This patch debunks my notions of re-proposing that previous patch under
the 'security' rubrik.
thx.
Thread Next