diff options
| author | Ilya Zakharevich <ilya@math.berkeley.edu> | 1998-07-09 14:47:25 -0400 |
|---|---|---|
| committer | Gurusamy Sarathy <gsar@cpan.org> | 1998-07-11 23:43:37 +0000 |
| commit | 2cd61cdbd64958437da8294b84109bc8b63ab360 (patch) | |
| tree | c77caa477be19c09cbca09e677a56b48de14cce2 /ext/re | |
| parent | 1e509ade7aa6b4feabef1bbe58cd68a39b4085af (diff) | |
| download | perl-2cd61cdbd64958437da8294b84109bc8b63ab360.tar.gz | |
add patch, along with all the missing bits, and doc tweaks
Message-Id: <199807092247.SAA06314@monk.mps.ohio-state.edu>
Subject: Re: [PATCH 5.004_71] Secure RE update
p4raw-id: //depot/perl@1444
Diffstat (limited to 'ext/re')
| -rw-r--r-- | ext/re/re.pm | 37 |
1 files changed, 30 insertions, 7 deletions
diff --git a/ext/re/re.pm b/ext/re/re.pm index 53873fca4c..a033d97c94 100644 --- a/ext/re/re.pm +++ b/ext/re/re.pm @@ -11,17 +11,22 @@ re - Perl pragma to alter regular expression behaviour use re 'taint'; ($x) = ($^X =~ /^(.*)$/s); # $x is tainted here + $pat = '(?{ $foo = 1 })'; use re 'eval'; - /foo(?{ $foo = 1 })bar/; # won't fail (when not under -T switch) + /foo${pat}bar/; # won't fail (when not under -T switch) { no re 'taint'; # the default ($x) = ($^X =~ /^(.*)$/s); # $x is not tainted here no re 'eval'; # the default - /foo(?{ $foo = 1 })bar/; # disallowed (with or without -T switch) + /foo${pat}bar/; # disallowed (with or without -T switch) } + use re 'debug'; + /^(.*)$/s; # output debugging info + # during compile and run time + =head1 DESCRIPTION When C<use re 'taint'> is in effect, and a tainted string is the target @@ -31,11 +36,29 @@ on tainted data aren't meant to extract safe substrings, but to perform other transformations. When C<use re 'eval'> is in effect, a regex is allowed to contain -C<(?{ ... })> zero-width assertions (which may not be interpolated in -the regex). That is normally disallowed, since it is a potential security -risk. Note that this pragma is ignored when perl detects tainted data, -i.e. evaluation is always disallowed with tainted data. See -L<perlre/(?{ code })>. +C<(?{ ... })> zero-width assertions even if regular expression contains +variable interpolation. That is normally disallowed, since it is a +potential security risk. Note that this pragma is ignored when the regular +expression is obtained from tainted data, i.e. evaluation is always +disallowed with tainted regular expresssions. See L<perlre/(?{ code })>. + +For the purpose of this pragma, interpolation of preexisting regular +expressions is I<not> considered a variable interpolation, thus + + /foo${pat}bar/ + +I<is> allowed if $pat is a preexisting regular expressions, even +if $pat contains C<(?{ ... })> assertions. + +When C<use re 'debug'> is in effect, perl emits debugging messages when +compiling and using regular expressions. The output is the same as that +obtained by running a C<-DDEBUGGING>-enabled perl interpreter with the +B<-Dr> switch. It may be quite voluminous depending on the complexity +of the match. +See L<perldebug/"Debugging regular expressions"> for additional info. + +I<The directive C<use re 'debug'> is not lexically scoped.> It has +both compile-time and run-time effects. See L<perlmodlib/Pragmatic Modules>. |