use re 'eval' error
bobtfish at bobtfish.net
Thu Oct 23 16:04:42 EDT 2008
On 23 Oct 2008, at 19:55, Louis-David Mitterrand wrote:
> On Thu, Oct 23, 2008 at 05:11:27PM +0200, Aristotle Pagaltzis wrote:
>> * Louis-David Mitterrand <vindex+lists-markdown-
>> discuss at apartia.org> [2008-10-23 13:55]:
>>> What is the fix?
>> You have to patch Text::Markdown to add that line to the block
>> the regex is in. I see you have already filed a bug against
>> Text::Markdown, excellent.
> Wouldn't a better fix be to remove the vulnerability from the regex?
> In other words isn't "use re 'eval';" weakening the module's security?
In this case, no, it isn't - as the string being interpolated into
the regex is another (static) chunk of pre-compiled regex.
I've released Text::Markdown 1.0.22 this evening, which corrects
this, and another bug.
More information about the Markdown-Discuss