Item6809: Configure regexp checker broken

Yes, it happens in real life - consider a match on an X509 certificate, where typical data is /C=UK/O=Megalith/G=Fred...

Bug is that it does an eval "qr/$str/";

Shouldn't use delimiter at all; anything you pick is wrong somewhere. Do this 1 line change instead:

lib/TWiki/Configure/Checker.pm ~ line 239 in trunk:

# Check for a compilable RE
sub checkRE {
    my ($this, $keys) = @_;
    my $str;
    eval '$str = $TWiki::cfg'.$keys;
    return '' unless defined $str;
    eval "'x' =~ \$str";                      #<<<<<<<< 
    if ($@) {
        return $this->ERROR(<<MESS);
Invalid regular expression: $@ <p />
See <a href=" [[http://www.perl.com/doc/manual/html/pod/perlre.html">perl.com</a][http://www.perl.com/doc/manual/html/pod/perlre.html">perl.com</a]]> for help with Perl regular expressions.
MESS
    }
    return '';
}

For now, I ship a custom work-around for especially vulnerable fields. That's a bad thing.

Urgent because valid user input produces false and hard to diagnose errors. E.g. '/emailAddress=\w+\@example\.com' produces:

Error: Invalid regular expression: Bareword found where operator expected at (eval 1394) line 1, near "qr//emailAddress"

-- TWiki:Main/TimotheLitt - 2011-09-15

Thank you Timothe. This is now in SVN trunk and 5.1 branch. Could you please check if the fix is good?

-- TWiki:Main.PeterThoeny - 2011-09-21

Yes, it's good.

While we're here, it might be good to check $@ after the first eval. Something like:

eval '$str = $TWiki::cfg'.$keys;
$@ and return $this->ERROR( "Bad item key $keys: $@" );  #<<<<++
return '' unless defined $str;

An eval without a check of $@ can produce odd behaviors that are really hard to track down ...

-- TWiki:Main.TimotheLitt - 2011-09-21

I am closing this one because of today's TWiki-5.1.1 patch release. Please file a new report for the additional issue.

-- PeterThoeny - 2012-01-14