Boost logo

Boost :

Subject: Re: [boost] [regex] embed string/char in regex w/o escaping?
From: Jim Bell (Jim_at_[hidden])
Date: 2011-03-01 23:01:21


On 1:59 PM, Arno Schödl wrote:
> As far as I can see, there is no way to embed a plain string into a regex, without escaping the string. Same with characters. Isn't that a bad omission for a library that becomes the new C++ standard? Escaping something just to unescape it on the other end of the function call seems unnecessary, and it opens up the possibility of ills like regex code injection if someone forgets to escape or does it wrong.

I was just pondering regex security risks
(<http://lists.boost.org/boost-users/2011/02/66533.php>).

Has anyone studied regex code injection and its implications?

How about
<http://www.boost.org/doc/libs/1_46_0/libs/regex/doc/html/boost_regex/ref/syntax_option_type/syntax_option_type_literal.html>?
It treats the whole string as literal. Is that what you're seeking?

regex has to contend with in-band signaling in general, and it's a
thorny issue.

To your point of escaping a string wrong, I fiddled with a
regex_replace() that would remove all '\E' (end-of-quoted-sequence),
including '\\\E', but not touch '\\E' (i.e., even numbers of '\'
prefixing), and couldn't get it.


Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk