• Dridi Boukelmoune's avatar
    New VRE_quote() function · c82e3aba
    Dridi Boukelmoune authored
    This is a tool for VMOD authors for the use case of building a regular
    expression partially from arbitrary input, where the input is intended
    for an exact match.
    
    For example, one could implement a dispatch feature depending on the
    request's host header, building something like:
    
        "\.?\Q" + req.http.host + "\E$"
    
    A malicious client could however hijack the regular expression with a
    \E sequence in the host header. To get safely to this result you can
    do this instead in pseudo-code before compiling the regex:
    
        VSB_cat(vsb, "\\.?");
        VRE_quote(vsb, req.http.host);
        VSB_putc(vsb, '$');
    
    The input is enclosed with PCRE's \Q and \E escape sequences, ensuring
    that \E sequences in the input string don't allow Little Bobby Tables'
    cousin to mess with your regular expressions.
    c82e3aba
vre.h 2.3 KB