From 13722d7b7656f84a95a43db1d6e2fc0b5828c8d9 Mon Sep 17 00:00:00 2001
From: www-data <www-data@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>
Date: Mon, 3 Apr 2006 15:39:15 +0000
Subject: [PATCH] web commit by WillThompson: Safety of arbitrary regexen

---
 doc/todo/mailnotification.mdwn | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/doc/todo/mailnotification.mdwn b/doc/todo/mailnotification.mdwn
index 5aae98894..858141008 100644
--- a/doc/todo/mailnotification.mdwn
+++ b/doc/todo/mailnotification.mdwn
@@ -13,6 +13,24 @@ Should support mail notification of new and changed pages.
      Joey points out that this is actually a security hole, because Perl
      regexes let you embed (arbitrary?) Perl expressions inside them.  Yuck!
 
+(This is not actually true unless you "use re 'eval';", without which
+(?{ code }) is disabled for expressions which interpolate variables.
+See perldoc re, second paragraph of DESCRIPTION. It's a little iffy
+to allow arbitrary regexen, since it's fairly easy to craft a regular
+expression that takes unbounded time to run, but this can be avoided
+with the use of alarm to add a time limit. Something like
+
+    eval { # catches invalid regexen
+      no re 'eval'; # to be sure
+      local $SIG{ALRM} = sub { die };
+      alarm(1);
+      ... stuff involving m/$some_random_variable/ ...
+      alarm(0);
+    };
+    if ($@) { ... handle the error ... }
+
+should be safe. --[[WillThompson]])
+
      It would also be good to be able to subscribe to all pages except discussion pages or the SandBox: `* !*/discussion !sandobx`, maybe --[[Joey]]
 
   3. Of course if you do that, you want to have form processing on the user
-- 
2.44.0