如何安全地使用来自用户输入的正则表达式? [英] How can I safely use regexes from user input?
问题描述
我的(基于 Perl 的)应用程序需要让用户输入正则表达式,以匹配幕后的各种字符串.到目前为止,我的计划是将字符串用类似的东西包裹起来
$regex = eval { qr/$text/};如果(我的 $error = $@){# mangle $error 提取面向用户的消息($text 已经提前去除了换行符,因为它实际上是我split 的多行文本字段中的多个正则表达式).
这样做是否有任何潜在的安全风险 - 一些可能导致任意代码执行的奇怪输入?(除了 CVE-2007-5116 等正则表达式引擎中的缓冲区溢出漏洞).如果是这样,有没有办法减轻它们?
有没有更好的方法来做到这一点?任何帮助抽象将用户输入转换为正则表达式的操作的 Perl 模块(例如提取错误消息......或提供像 /i 这样的修饰符,我在这里并不严格需要,但会好的)?我搜索了 CPAN 并没有找到太多有希望的东西,但我认为我错过了一些东西.
使用 (?{ code }) 结构,用户输入可用于执行任意代码.请参阅 perlre#code 中的示例及其说明
local $cnt = $cnt + 1,用表达式替换
system("rm -rf/home/fennec");打印 "哈哈.\n";(实际上,不要那样做.)
My (Perl-based) application needs to let users input regular expressions, to match various strings behind the scenes. My plan so far has been to take the string and wrap it in something like
$regex = eval { qr/$text/ };
if (my $error = $@) {
# mangle $error to extract user-facing message
($text having been stripped of newlines ahead of time, since it's actually multiple regular expressions in a multi-line text-field that I split).
Are there any potential security risks with doing this - some weird input that could lead to arbitrary code execution? (Besides the buffer overflow vulnarabilities in the regular expression engines like CVE-2007-5116). If so, are there ways to mitigate them?
Is there a better way to do this? Any Perl modules which help abstract the operations of turning user input into regular expressions (such as extracting error messages ... or providing modifiers like /i, which I don't strictly need here, but would be nice)? I searched CPAN and didn't find much that was promising, but entertain the possibility that I missed something.
With the (?{ code }) construct, user input could be used to execute arbitrary code. See the example in perlre#code and where it says
local $cnt = $cnt + 1,
replace it with the expression
system("rm -rf /home/fennec"); print "Ha ha.\n";
(Actually, don't do that.)
这篇关于如何安全地使用来自用户输入的正则表达式?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
