D. Bolliger: > Dr.Ruud: >> D. Bolliger: >>> # input sanitizing >>> # >>> my $re_range=qr/\d+\s*\.\.\s*\d+/; >>> $user_input=~/^\s*$re_range(?:\s*,\s*$re_range)*\s*$/ >>> or die 'invalid input!'; >>> >>> my @list4=eval $user_input; >> >> An embedded newline can fool that test. >> >> You can make it much stricter, >> by replacing the \s by [[:blank:]], >> and the ending $ by \z. >> >> $re_range = qr/ [[:blank:]]* >> \d+ >> [[:blank:]]* >> \.\. >> [[:blank:]]* >> \d+ >> [[:blank:]]* >> /x ; >> >> $re_input = qr/\A $re_range (?: , $re_range )* \z/x ; > > Yes, you are right that space other than ' ' can pass this test, and > if only single line input is allowed, it is certainly better to > implement the restrictions accordingly. > > On the other side, even newlines (that pass the test) lead to a > string that evals without error.
You're right, a trailing \n doesn't create danger here. I wrongly thought that a string like "1..10\n;`rm -rf /`" would match, but it doesn't (without an m-modifier). > In other contexts, say checking an alphanumeric string intended to be > used in a mail header passed to sendmail, using \s instead of > [[:blank:]] would be a bad idea. Such data needs to be prepared before using it. Disarm all embedded CRLF, CR and LF (and \ck) by replacing them by SP. A simple approach: s/\s+/ /g, s/ +/ /g ; When working with a received message, header fields are best unfolded before doing any checks. See Mail::Header and MIME::Head and alike. -- Affijn, Ruud "Gewoon is een tijger." -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
