On Wed Oct 29 06:33:22 2014, DAMI wrote:
Show quoted text> On Mon Oct 27 23:53:46 2014, ISHIGAKI wrote:
>
> > Thanks for both. Confirmed they (especially the latter) cause serious
> > issues.
>
> Hi Kenichi,
>
> Did you actually try these code injections ? I did, and the code would
> not let them pass, so I'm interested to understand on which basis you
> confirmed that there was a serious issue.
For the record for everyone reading this thread, I sent him a private email to show the exact code I used to confirm.
Show quoted text>
> The addition of quotemeta() is not appropriate because it defeats the
> purpose of the MATCH operator : now if you write a query like "WHERE c
> MATCH '[rst]'", you don't get any result , because the square brackets
> are quoted and are no longer interpreted as a character class. For the
> same reason, you were obliged to tweak the test '^.i' ... but then
> it's no longer a regex !
>
> Anyway, even if I still maintain that the implementation was safe,
> because the interpolation only happened in a very controlled
> environment, I nevertheless agree that an eval containing user-
> supplied strings is always scary, and I very well understand that
> security is a big concern for you as a release manager. But meanwhile
> I thought about this ticket and realized that there is no need for
> variable interpolation : the desired behaviour can be much better
> implemented through a closure, and then there is no risk of code
> injection (because Perl doesn't do double interpolation).
>
> So I propose the following : I will commit this new implementation in
> a separate branch, and add a few tests to make sure that the MATCH
> operator properly handles common regex idioms like character classes,
> anchors, etc. Then I'll leave it to you to merge that into trunk if
> you agree with the approach.
Looking forward to it.
Show quoted text>
> Hope this will satisfy everybody.