Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rkB5W-00Axt7-7W for pgsql-hackers@arkaria.postgresql.org; Tue, 12 Mar 2024 22:59:14 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rkB5T-004Nlz-9V for pgsql-hackers@arkaria.postgresql.org; Tue, 12 Mar 2024 22:59:11 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rkB5T-004NlN-0O for pgsql-hackers@lists.postgresql.org; Tue, 12 Mar 2024 22:59:11 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rkB5P-004BxZ-Mn for pgsql-hackers@postgresql.org; Tue, 12 Mar 2024 22:59:10 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 42CMx4Wp1941563; Tue, 12 Mar 2024 18:59:04 -0400 From: Tom Lane To: Jeff Davis cc: Alvaro Herrera , pgsql-hackers@postgresql.org Subject: Re: perl: unsafe empty pattern behavior In-reply-to: <2385813054ce4e4b3e5998600da2ce95b9509dc7.camel@j-davis.com> References: <202403121753.lw7u5b5fjsjw@alvherre.pgsql> <2385813054ce4e4b3e5998600da2ce95b9509dc7.camel@j-davis.com> Comments: In-reply-to Jeff Davis message dated "Tue, 12 Mar 2024 15:51:09 -0700" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1941561.1710284344.1@sss.pgh.pa.us> Date: Tue, 12 Mar 2024 18:59:04 -0400 Message-ID: <1941562.1710284344@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Jeff Davis writes: > On Tue, 2024-03-12 at 18:53 +0100, Alvaro Herrera wrote: >> I also tried grepping (for things >> like qr{}, qr[], qr||, qr!!) and didn't find anything beyond what you >> have ... but I only looked for the "qr" literal, not other ways to >> get regexes. > I think that's fine. qr// seems the most dangerous, because it seems to > behave differently in different versions of perl. I wonder whether perlcritic has sufficiently deep understanding of Perl code that it could find these hazards. I already checked, and found that there's no built-in filter for this (at least not in the perlcritic version I have), but maybe we could write one? The rules seem to be plug-in modules, so you can make your own in principle. regards, tom lane