-
Dridi Boukelmoune authored
This is a tool for VMOD authors for the use case of building a regular expression partially from arbitrary input, where the input is intended for an exact match. For example, one could implement a dispatch feature depending on the request's host header, building something like: "\.?\Q" + req.http.host + "\E$" A malicious client could however hijack the regular expression with a \E sequence in the host header. To get safely to this result you can do this instead in pseudo-code before compiling the regex: VSB_cat(vsb, "\\.?"); VRE_quote(vsb, req.http.host); VSB_putc(vsb, '$'); The input is enclosed with PCRE's \Q and \E escape sequences, ensuring that \E sequences in the input string don't allow Little Bobby Tables' cousin to mess with your regular expressions.
c82e3aba