Missing Something.

Mark Fowler mark at twoshortplanks.com
Mon Oct 1 16:37:17 BST 2007


On 1 Oct 2007, at 15:51, Rafael Garcia-Suarez wrote:

>  But, most importantly, have you remarked that your CGI script
> allows *arbitrary* source code execution through the chester_userid
> parameter, and opens a huge security hole ?

No, it doesn't, not on my perl anyway.

travis:~/bf mark$ perl -e '/(??{print "hi\n"})/'
hi
travis:~/bf mark$ perl -e '$a = q<(??{print "hi\n"})>; /$a/'
Eval-group not allowed at runtime, use re 'eval' in regex m/(??{print  
"hi\n"})/ at -e line 1.

OTOH, you could put a regex in there that runs for a very long time  
or chews up a lot of memory.

Mark.


More information about the london.pm mailing list