From 2aa59621153fcba1d72d7c7688037f1fdfa7f95f Mon Sep 17 00:00:00 2001 From: www-data Date: Fri, 17 Mar 2006 16:51:14 +0000 Subject: [PATCH] web commit by BrandenRobinson: Explain why letting users specify regexes is bad. --- doc/todo.mdwn | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/todo.mdwn b/doc/todo.mdwn index d4abc832d..d7326854e 100644 --- a/doc/todo.mdwn +++ b/doc/todo.mdwn @@ -23,6 +23,10 @@ is built. (As long as all changes to all pages is ok.) explicitly named pages would be desirable. 2. I think that since we're using Perl on the backend, being able to let users craft their own arbitrary regexes would be good. + + Joey points out that this is actually a security hole, because Perl + regexes let you embed (arbitrary?) Perl expressions inside them. Yuck! + 3. Of course if you do that, you want to have form processing on the user page that lets them tune it, and probably choose literal or glob by default. -- 2.26.2