From vindex+lists-markdown-discuss at apartia.org Thu Oct 23 07:54:22 2008 From: vindex+lists-markdown-discuss at apartia.org (Louis-David Mitterrand) Date: Thu, 23 Oct 2008 13:54:22 +0200 Subject: use re 'eval' error Message-ID: <20081023115422.GB3426@apartia.fr> Hi, I am trying to use Text::Markdown under HTML::Mason (mod_perl) and I get this error when calling markdown(text): Eval-group not allowed at runtime, use re 'eval' in regex m/ ( # wrap whole match in $1 !\[ (.*?) # alt text = $2 \] .../ at /usr/share/perl5/Text/Markdown.pm line 751. Adding "use re 'eval';" to my startup.pl file didn't help. What is the fix? Thanks, -- http://www.lesculturelles.net From pagaltzis at gmx.de Thu Oct 23 11:11:27 2008 From: pagaltzis at gmx.de (Aristotle Pagaltzis) Date: Thu, 23 Oct 2008 17:11:27 +0200 Subject: use re 'eval' error In-Reply-To: <20081023115422.GB3426@apartia.fr> References: <20081023115422.GB3426@apartia.fr> Message-ID: <20081023151127.GO18606@klangraum.plasmasturm.org> * Louis-David Mitterrand [2008-10-23 13:55]: > What is the fix? You have to patch Text::Markdown to add that line to the block the regex is in. I see you have already filed a bug against Text::Markdown, excellent. Regards, -- Aristotle Pagaltzis // From vindex+lists-markdown-discuss at apartia.org Thu Oct 23 14:55:35 2008 From: vindex+lists-markdown-discuss at apartia.org (Louis-David Mitterrand) Date: Thu, 23 Oct 2008 20:55:35 +0200 Subject: use re 'eval' error In-Reply-To: <20081023151127.GO18606@klangraum.plasmasturm.org> References: <20081023115422.GB3426@apartia.fr> <20081023151127.GO18606@klangraum.plasmasturm.org> Message-ID: <20081023185534.GA27106@apartia.fr> On Thu, Oct 23, 2008 at 05:11:27PM +0200, Aristotle Pagaltzis wrote: > * Louis-David Mitterrand [2008-10-23 13:55]: > > What is the fix? > > You have to patch Text::Markdown to add that line to the block > the regex is in. I see you have already filed a bug against > Text::Markdown, excellent. Wouldn't a better fix be to remove the vulnerability from the regex? In other words isn't "use re 'eval';" weakening the module's security? Thanks, -- http://www.lesculturelles.net From bobtfish at bobtfish.net Thu Oct 23 16:04:42 2008 From: bobtfish at bobtfish.net (Tomas Doran) Date: Thu, 23 Oct 2008 21:04:42 +0100 Subject: use re 'eval' error In-Reply-To: <20081023185534.GA27106@apartia.fr> References: <20081023115422.GB3426@apartia.fr> <20081023151127.GO18606@klangraum.plasmasturm.org> <20081023185534.GA27106@apartia.fr> Message-ID: On 23 Oct 2008, at 19:55, Louis-David Mitterrand wrote: > On Thu, Oct 23, 2008 at 05:11:27PM +0200, Aristotle Pagaltzis wrote: >> * Louis-David Mitterrand > discuss at apartia.org> [2008-10-23 13:55]: >>> What is the fix? >> >> You have to patch Text::Markdown to add that line to the block >> the regex is in. I see you have already filed a bug against >> Text::Markdown, excellent. > > Wouldn't a better fix be to remove the vulnerability from the regex? > > In other words isn't "use re 'eval';" weakening the module's security? In this case, no, it isn't - as the string being interpolated into the regex is another (static) chunk of pre-compiled regex. I've released Text::Markdown 1.0.22 this evening, which corrects this, and another bug. Cheers t0m