On Wed, Jul 10, 2002 at 09:56:32AM -0700, Charlie Reiman wrote:
I was agreeing with Toby, until it dawned on me that string.* is available unrestricted. Yes, my regexs may be vulnerable to a DOS attack if someone foists a 4M string at me. But so is string.index and string.rindex and (even worse) string.lower. Besides, as Oliver points out, limiting access to re doesn't mean I can't write code that wantonly consumes all CPU and memory. His example is artificial but it could easily be modified to take paramters from the HTTP REQUEST and still do stupid things.
Yes, but at least each is linear w.r.t. input size. regexes can be exponential. Damn, I am trying to remember: it feels to me that they can be factorial (but this would be hard to do accidentally).
If the issue is resource (CPU or memory or disk) consumption, then trying to limit package availability is never going to be a 100% solution. To limit resource consumption, you must (wait for it....) limit resource consumption. In other words, requests need CPU timeouts and memory quotas.
True -- it is not, and was never intended to be a 100% solution. It was an engineering tradeoff. And I suspect that the needs of Zope Hosting providers was weighed heavily. They would want to be able to look at a user's code that was taking a lot of resource and quickly make a decision on whether to continue to have him as a customer. regexes would certainly make that more difficult. I don't know any of this, I am as far outside Zope decision making circles as can be.
So to rephrase the original question: Assuming I'm willing to risk the DOS attacks, is there any other security risk to opening up regexs for Zope use? Is there some way a hacker can assume control of my Zope server or change its content because I decided to utilize regexes in my Python scripts?
Not to my knowledge. In fact, I doubt it; the regex compilation process is completely uncontrollable by input, and I would be surprised if there were any problems in the match algorithm that could be exploited by input (although I seem to recall dimly problems with Unicode).
You don't have to tell me how, of course. Just let me know if it is possible.
Jim Penny