use re 'eval' error

Tomas Doran bobtfish at bobtfish.net
Thu Oct 23 16:04:42 EDT 2008



On 23 Oct 2008, at 19:55, Louis-David Mitterrand wrote:


> On Thu, Oct 23, 2008 at 05:11:27PM +0200, Aristotle Pagaltzis wrote:

>> * Louis-David Mitterrand <vindex+lists-markdown-

>> discuss at apartia.org> [2008-10-23 13:55]:

>>> What is the fix?

>>

>> You have to patch Text::Markdown to add that line to the block

>> the regex is in. I see you have already filed a bug against

>> Text::Markdown, excellent.

>

> Wouldn't a better fix be to remove the vulnerability from the regex?

>

> In other words isn't "use re 'eval';" weakening the module's security?


In this case, no, it isn't - as the string being interpolated into
the regex is another (static) chunk of pre-compiled regex.

I've released Text::Markdown 1.0.22 this evening, which corrects
this, and another bug.

Cheers
t0m



More information about the Markdown-Discuss mailing list