Some Perl 5 programs take a regex (in string form) as input, and simply
interpolate it into a regex.

In Perl 6, you'd do that as

my $re = rx/ <$input> /;

But since $input can contain closures, arbitrary code can be executed.
I'd like to propose a way to compile a string to a regex which doesn't
allow code execution.

When the compiler compiles a regex embedded in a normal Perl 6 program,
it somehow has to know about lexical scopes for variable
(non)-interpolation, and about the outer language to parse {...} and
<{...}> closures. So I'd like an API which resets theses environmental
informations.

For example

my $rx = Regex.new(:string('abc|d'), :safe);

could compile the string 'abc|d' to a regex, disallowing references to
external variables,  {...} and <{...}> closures and code in the form of
:my $x = somecode();

If the string is tainted, :safe could be enabled by default.

Do you think it's a good idea? Do the implementers think it's doable
with reasonable effort?

Moritz

Reply via email to