You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by do...@apache.org on 2005/05/12 04:27:07 UTC
svn commit: r169745 -
/spamassassin/trunk/lib/Mail/SpamAssassin/Conf/Parser.pm
Author: dos
Date: Wed May 11 19:27:06 2005
New Revision: 169745
URL: http://svn.apache.org/viewcvs?rev=169745&view=rev
Log:
is_regexp_valid(): ensure perl's regexp security checks are done
Modified:
spamassassin/trunk/lib/Mail/SpamAssassin/Conf/Parser.pm
Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Conf/Parser.pm
URL: http://svn.apache.org/viewcvs/spamassassin/trunk/lib/Mail/SpamAssassin/Conf/Parser.pm?rev=169745&r1=169744&r2=169745&view=diff
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Conf/Parser.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Conf/Parser.pm Wed May 11 19:27:06 2005
@@ -821,9 +821,28 @@
sub is_regexp_valid {
my ($self, $name, $re) = @_;
- my $evalstr = '("" =~ ' . $re . '); 1;';
- if (eval $evalstr) {
- return 1;
+ $re =~ /^m?(\W)(.*)(?:\1|>|}|\)|\])(.*?)$/;
+ my $pattern = $2;
+ $pattern = "(?".$3.")".$pattern if $3;
+
+ # the first eval tells us if the regexp is safe
+ # the second eval tells us if the delimiters are ok
+ if (!defined ($pattern)) {
+ warn "config: invalid regexp for rule $name: $re: missing or invalid delimiters\n";
+ $self->{conf}->{errors}++;
+ return 0;
+ }
+ elsif (eval { ("" =~ m{$pattern}); 1; }) {
+ my $evalstr = '("" =~ ' . $re . '); 1;';
+ if (eval $evalstr) {
+ return 1;
+ } else {
+ my $err = $@;
+ $err =~ s/ at .*? line \d+,//;
+ warn "config: invalid regexp for rule $name: $re: $err\n";
+ $self->{conf}->{errors}++;
+ return 0;
+ }
}
else {
my $err = $@;