From @moritz

Patch inspired by http​://www.perlmonks.org/?node_id=798862

--
Moritz Lenz
http​://perlgeek.de/ | http​://perl-6.de/ | http​://sudokugarden.de/

From @moritz

From 083663742220a366b866629fc72f4b1bd1bda3fc Mon Sep 17 00:00:00 2001
From: Moritz Lenz <moritz@faui2k3.org>
Date: Fri, 2 Oct 2009 17:12:30 +0200
Subject: [PATCH] make it clear that "use re 'eval'" is actually code

---
 regcomp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/regcomp.c b/regcomp.c
index 696796b..d43b43e 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -5885,7 +5885,7 @@ S_reg(pTHX_ RExC_state_t *pRExC_state, I32 paren, I32 *flagp,U32 depth)
 			&& IN_PERL_RUNTIME)
 			/* No compiled RE interpolated, has runtime
 			   components ===> unsafe.  */
-			FAIL("Eval-group not allowed at runtime, use re 'eval'");
+			FAIL("Eval-group not allowed at runtime, allow it with \"use re 'eval'\"");
 		    if (PL_tainting && PL_tainted)
 			FAIL("Eval-group in insecure regular expression");
 #if PERL_VERSION > 8
-- 
1.5.6.5

From ben@morrow.me.uk

Quoth Moritz Lenz

- FAIL("Eval-group not allowed at runtime, use re 'eval'");
+ FAIL("Eval-group not allowed at runtime, allow it with \"use re 'eval'\"");

Should this perhaps say something more like

  (?{}) from variable interpolation forbidden for security reasons,
  see perlre

? It would be bad if people just blindly turned re "eval" on without
understanding the implications (which are non-obvious).

Ben

The RT System itself - Status changed from 'new' to 'open'

From nj88udd02@sneakemail.com

Hi Ben, hi Moritz,

Ben Morrow wrote​:

Quoth Moritz Lenz

- FAIL("Eval-group not allowed at runtime, use re 'eval'");
+ FAIL("Eval-group not allowed at runtime, allow it with \"use re 'eval'\"");

Should this perhaps say something more like

\(?\{\}\) from variable interpolation forbidden for security reasons\,
see perlre

? It would be bad if people just blindly turned re "eval" on without
understanding the implications (which are non-obvious).

I agree with Ben here. Maybe the even more verbose "(?{}) from variable
interpolation forbidden for security reasons, see perlre on how to
enable this". Any opposition to my changing the error to Ben's
suggestion or this one?

Cheers,
Steffen

From @nwc10

On Sat, Oct 03, 2009 at 10​:33​:16AM +0200, Steffen Mueller wrote​:

Hi Ben, hi Moritz,

Ben Morrow wrote​:

Quoth Moritz Lenz

- FAIL("Eval-group not allowed at runtime, use re
'eval'");
+ FAIL("Eval-group not allowed at runtime, allow it
with \"use re 'eval'\"");

Should this perhaps say something more like

(?{}) from variable interpolation forbidden for security reasons,
see perlre

? It would be bad if people just blindly turned re "eval" on without
understanding the implications (which are non-obvious).

I agree with Ben here. Maybe the even more verbose "(?{}) from variable
interpolation forbidden for security reasons, see perlre on how to
enable this". Any opposition to my changing the error to Ben's
suggestion or this one?

I'm not sure if I'm really following this, but I think it needs something like
"by default" or "see X for how to enable it", because it's not a blanket
"no you can't"

Nicholas Clark

From nj88udd02@sneakemail.com

Nicholas Clark wrote​:

On Sat, Oct 03, 2009 at 10​:33​:16AM +0200, Steffen Mueller wrote​:

I agree with Ben here. Maybe the even more verbose "(?{}) from variable
interpolation forbidden for security reasons, see perlre on how to
enable this". Any opposition to my changing the error to Ben's
suggestion or this one?

I'm not sure if I'm really following this, but I think it needs something like
"by default" or "see X for how to enable it", because it's not a blanket
"no you can't"

That's what I was trying to convey with my "see perlre on how to enable
this" extension.

Cheers,
Steffen

From @davidnicol

due to security concerns, eval-group must be explicitly enabled​: see
perlre documentation

@dcollinsn - Status changed from 'open' to 'stalled'