Received: from ATHENA.MIT.EDU by po7.MIT.EDU (5.61/4.7) id AA03793; Fri, 18 Jun 93 22:20:17 EDT
Received: from HODGE.MIT.EDU by Athena.MIT.EDU with SMTP
	id AA00770; Fri, 18 Jun 93 22:20:12 EDT
Received: by hodge (5.57/4.7) id AA19774; Fri, 18 Jun 93 22:18:55 -0400
Date: Fri, 18 Jun 93 22:18:55 -0400
Message-Id: <9306190218.AA19774@hodge>
From: Calvin Clark <ckclark@MIT.EDU>
To: perl-users@Athena.MIT.EDU
Subject: security question with regexps

Dear Perl Gurus,

I'm going to write an addon in perl to use with the SIPB WWW Plexus
server, that will allow people to search the MITSFS Pinkdex for
titles/authors for works in the MITSFS libarary.  I want to allow people
to do regular expression searches as well as string searches.  My
question is this:

     If I allow a person to specify an arbitrary regular expression and
I match it against lines in the database, can they spoof me and execute
arbitrary commands?  I'm not worried about wiseguys who specify
pathological regular expressions that will take forever to match---I'll
just time them out---but I am concerned about people clever enough to
sieze control though some twisted use of a regexp.

-Calvin
