From: Abigail Date: Wed, 6 Jan 2010 17:19:11 +0000 (+0100) Subject: Document that interpolating a '(??{ code })' construct in a regular X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=0b370c0a264633281d21c8cf13f698b896d74ce6;p=p5sagit%2Fp5-mst-13.2.git Document that interpolating a '(??{ code })' construct in a regular expression also requires "use re 'eval'", just as '(?{ code })' does. --- diff --git a/ext/re/re.pm b/ext/re/re.pm index 5701601..02393ce 100644 --- a/ext/re/re.pm +++ b/ext/re/re.pm @@ -203,11 +203,13 @@ other transformations. =head2 'eval' mode When C is in effect, a regexp is allowed to contain -C<(?{ ... })> zero-width assertions even if the regular expression contains +C<(?{ ... })> zero-width assertions and C<(??{ ... })> postponed +subexpressions, even if the regular expression contains variable interpolation. That is normally disallowed, since it is a potential security risk. Note that this pragma is ignored when the regular expression is obtained from tainted data, i.e. evaluation is always -disallowed with tainted regular expressions. See L. +disallowed with tainted regular expressions. See L +and L. For the purpose of this pragma, interpolation of precompiled regular expressions (i.e., the result of C) is I considered variable @@ -216,7 +218,7 @@ interpolation. Thus: /foo${pat}bar/ I allowed if $pat is a precompiled regular expression, even -if $pat contains C<(?{ ... })> assertions. +if $pat contains C<(?{ ... })> assertions or C<(??{ ... })> subexpressions. =head2 'debug' mode diff --git a/pod/perlre.pod b/pod/perlre.pod index e040f09..c997a9e 100644 --- a/pod/perlre.pod +++ b/pod/perlre.pod @@ -1035,6 +1035,12 @@ The following pattern matches a parenthesized group: See also C<(?PARNO)> for a different, more efficient way to accomplish the same task. +For reasons of security, this construct is forbidden if the regular +expression involves run-time interpolation of variables, unless the +perilous C pragma has been used (see L), or the +variables contain results of C operator (see +L). + Because perl's regex engine is not currently re-entrant, delayed code may not invoke the regex engine either directly with C or C), or indirectly with functions such as C.