In which languages is it a security hole to use user-supplied regular expression?

Question

Edit: tchrist has informed me that my original accusations about Perl\'s insecurity are unfounded. However, the question still stands.

I know that i

Answer 1

It's generally dynamic languages with an eval facility that tend to have the ability to execute code from regular expressions. In static languages (i.e. those requiring a separate compilation step) there is generally no way to execute code that wasn't compiled, so evaluating code from within a regex is impossible.

Without a way to embed code in a regex, the worst a user can do is write a regex that takes a long time to evaluate.