From: www-data Date: Mon, 3 Apr 2006 15:39:15 +0000 (+0000) Subject: web commit by WillThompson: Safety of arbitrary regexen X-Git-Tag: 1.0~82 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=13722d7b7656f84a95a43db1d6e2fc0b5828c8d9;p=ikiwiki.git web commit by WillThompson: Safety of arbitrary regexen --- diff --git a/doc/todo/mailnotification.mdwn b/doc/todo/mailnotification.mdwn index 5aae98894..858141008 100644 --- a/doc/todo/mailnotification.mdwn +++ b/doc/todo/mailnotification.mdwn @@ -13,6 +13,24 @@ Should support mail notification of new and changed pages. Joey points out that this is actually a security hole, because Perl regexes let you embed (arbitrary?) Perl expressions inside them. Yuck! +(This is not actually true unless you "use re 'eval';", without which +(?{ code }) is disabled for expressions which interpolate variables. +See perldoc re, second paragraph of DESCRIPTION. It's a little iffy +to allow arbitrary regexen, since it's fairly easy to craft a regular +expression that takes unbounded time to run, but this can be avoided +with the use of alarm to add a time limit. Something like + + eval { # catches invalid regexen + no re 'eval'; # to be sure + local $SIG{ALRM} = sub { die }; + alarm(1); + ... stuff involving m/$some_random_variable/ ... + alarm(0); + }; + if ($@) { ... handle the error ... } + +should be safe. --[[WillThompson]]) + It would also be good to be able to subscribe to all pages except discussion pages or the SandBox: `* !*/discussion !sandobx`, maybe --[[Joey]] 3. Of course if you do that, you want to have form processing on the user