Collector #839: Zope, Include re module in _ namespace
Duncan Booth reported:
It would be very useful to have access to regular expression matching from DTML. Importing the re module into the _ namespace as is done for string, math and whrandom looks to me to be both safe and useful.
with patch:
diff -r1.61 DT_Util.py 205c205 < import string, math, whrandom ---
import string, math, whrandom, re 219a220 d['re']=re
I am reluctant to Go There -- regexp's are notoriously hard to get right, and when they go south, they often take the family silver with them. It would be fairly trivial to write a back-tracking regexp, even inadvertently, the execution of which would be an effective denial-of-service attack on the server. DTML really isn't the right place for them, anyway: according to the prevailing wisdom of the zopemeisters, complicated logic belongs in Python, rather than in DTML. (However, PythonMethods won't have access to the re module either without some help) I'm CC'ing this reply to the zope-dev list for further feedback. Tres.
On Tue, 11 Apr 2000 16:11:17 -0700 (PDT), tseaver@digicool.com wrote:
Duncan Booth reported:
It would be very useful to have access to regular expression matching from DTML. Importing the re module into the _ namespace as is done for string, math and whrandom looks to me to be both safe and useful.
with patch:
diff -r1.61 DT_Util.py 205c205 < import string, math, whrandom ---
import string, math, whrandom, re 219a220 d['re']=re
I am reluctant to Go There -- regexp's are notoriously hard to get right, and when they go south, they often take the family silver with them. It would be fairly trivial to write a back-tracking regexp, even inadvertently, the execution of which would be an effective denial-of-service attack on the server.
DTML really isn't the right place for them, anyway: according to the prevailing wisdom of the zopemeisters, complicated logic belongs in Python, rather than in DTML. (However, PythonMethods won't have access to the re module either without some help)
I'm CC'ing this reply to the zope-dev list for further feedback.
There is an extra reason for using an external method: python's re module has a significant overhead when initially compiling the expression. If the expression is going to be used more than once, you really want to cache the compiled version. dtml wouldnt let you do that. Toby Dickenson tdickenson@geminidataloggers.com
tseaver@digicool.com wrote:
Duncan Booth reported:
It would be very useful to have access to regular expression matching from DTML. Importing the re module into the _ namespace as is done for string, math and whrandom looks to me to be both safe and useful.
with patch:
diff -r1.61 DT_Util.py 205c205 < import string, math, whrandom ---
import string, math, whrandom, re 219a220 d['re']=re
I am reluctant to Go There -- regexp's are notoriously hard to get right, and when they go south, they often take the family silver with them.
Yes.
It would be fairly trivial to write a back-tracking regexp, even inadvertently, the execution of which would be an effective denial-of-service attack on the server.
DTML really isn't the right place for them, anyway: according to the prevailing wisdom of the zopemeisters, complicated logic belongs in Python, rather than in DTML. (However, PythonMethods won't have access to the re module either without some help)
Right. Unless someone comes up with a "safe" re, one that *cannot* cause infinate loops or core dumps, we won't expose it in through the web code. Jim -- Jim Fulton mailto:jim@digicool.com Python Powered! Technical Director (888) 344-4332 http://www.python.org Digital Creations http://www.digicool.com http://www.zope.org Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email address may not be added to any commercial mail list with out my permission. Violation of my privacy with advertising or SPAM will result in a suit for a MINIMUM of $500 damages/incident, $1500 for repeats.
participants (3)
-
Jim Fulton -
Toby Dickenson -
tseaver@digicool.com