Mike Renfro wrote:
On Fri, Jan 17, 2003 at 03:36:25PM +0100, Tue Wennerberg wrote:
Mike Renfro wrote:
Basic summary: easy denial of service possibility if you have untrusted users.
But... If it's only a question of Denial of Service, how are regular expressions any different from python scripts. Surely, a site developer can simply make an infinite loop in his python script.
Here's my guess for the difference: whatever code is contained in the script is the developer's sole responsibility. However, a common regex usage would require input from an untrusted *user* (at least on a public site), and the developer can't necessarily plan for all possible inputs that a malicious user might stick in there.
I use regular expressions a lot, and the way I see it, no regexps would behave like that. So it isn't a problem. Also, it's widespread to use regular expressions in web sites written in Perl, and I've never heard of such a scenario occuring. I'm still puzzled as to why regular expressions are banned. -- Mvh. Tue Wennerberg Civilingeniør og Freelance Udvikler http://tuewennerberg.dk/ - tue@wennerberg.dk - (+45) 4043 6735