I was agreeing with Toby, until it dawned on me that string.* is available unrestricted. Yes, my regexs may be vulnerable to a DOS attack if someone foists a 4M string at me. But so is string.index and string.rindex and (even worse) string.lower. Besides, as Oliver points out, limiting access to re doesn't mean I can't write code that wantonly consumes all CPU and memory. His example is artificial but it could easily be modified to take paramters from the HTTP REQUEST and still do stupid things. If the issue is resource (CPU or memory or disk) consumption, then trying to limit package availability is never going to be a 100% solution. To limit resource consumption, you must (wait for it....) limit resource consumption. In other words, requests need CPU timeouts and memory quotas. So to rephrase the original question: Assuming I'm willing to risk the DOS attacks, is there any other security risk to opening up regexs for Zope use? Is there some way a hacker can assume control of my Zope server or change its content because I decided to utilize regexes in my Python scripts? You don't have to tell me how, of course. Just let me know if it is possible.
-----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Toby Dickenson Sent: Wednesday, July 10, 2002 9:12 AM To: Oliver Bleutgen; zope@zope.org Subject: Re: [Zope] DTML, Zope and Regex
On Wednesday 10 Jul 2002 4:49 pm, Oliver Bleutgen wrote:
As I understand it, the problem is not so much security, pro se, but denial of service. That is, it is extremely easy to write regular expressions which take enormous amounts of time or memory to process.
Oh, come on.
my_bigasslist=[] i=0 while(1): i=i+1 my_bigasslist.append('bla'*i)
Gets zope to use >>100M in less than 2 secs on a lowly PII 350.
It doesnt matter how easy it is to write a program that exhibits the problem. Rather, how easy it is to write a program that provably cannot exhibit the problem.
The issue with regular expressions is similar to the problems that cause buffer overflow vulnerabilities in C programs. Even experts find it hard to write a non-trivial program that is completely free from problems.
That doesnt mean that C or regular expressions do not have their uses, but I am pleased with the restriction that you cannot use them TTW.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )