这样做是否有任何潜在的安全风险 - 一些可能导致任意代码执行的奇怪输入?(除了 CVE-2007-5116 等正则表达式引擎中的缓冲区溢出漏洞).如果是这样,有没有办法减轻它们?有没有更好的方法来做到这一点?任何帮助抽象将用户输入转换为正则表达式的操作的 Perl 模块(例如提取错误消息......或提供像 /i 这样的修饰符,我在这里并不严格需要,但会好的)?我搜索了 CPAN 并没有找到太多有希望的东西,但我认为我错过了一些东西. 解决方案 使用 (?{ code }) 结构,用户输入可用于执行任意代码.请参阅 perlre#code 中的示例及其说明 local $cnt = $cnt + 1,用表达式替换system("rm -rf/home/fennec");打印 "哈哈.\n";(实际上,不要那样做.)My (Perl-based) application needs to let users input regular expressions, to match various strings behind the scenes. My plan so far has been to take the string and wrap it in something like$regex = eval { qr/$text/ };if (my $error = $@) { # mangle $error to extract user-facing message($text having been stripped of newlines ahead of time, since it's actually multiple regular expressions in a multi-line text-field that I split).Are there any potential security risks with doing this - some weird input that could lead to arbitrary code execution? (Besides the buffer overflow vulnarabilities in the regular expression engines like CVE-2007-5116). If so, are there ways to mitigate them?Is there a better way to do this? Any Perl modules which help abstract the operations of turning user input into regular expressions (such as extracting error messages ... or providing modifiers like /i, which I don't strictly need here, but would be nice)? I searched CPAN and didn't find much that was promising, but entertain the possibility that I missed something. 解决方案 With the (?{ code }) construct, user input could be used to execute arbitrary code. See the example in perlre#code and where it says local $cnt = $cnt + 1,replace it with the expressionsystem("rm -rf /home/fennec"); print "Ha ha.\n";(Actually, don't do that.) 这篇关于如何安全地使用来自用户输入的正则表达式?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持! 上岸,阿里云! 08-30 22:41