Jim Penny wrote:
On Wed, Jul 10, 2002 at 03:17:14PM +0100, Ben Avery wrote:
well, external methods are python scripts with no safety measures at all, so are potentially much more unsafe than any use of regexps in a python script. So I'd say it's better to allow the re module in your python scripts (see my previous post) than resort to external methods.
but I also haven't come across a reason to consider regexps unsafe. I'm sure it's been discussed here before - could someone point us to a post on this subject, pls ?
As I understand it, the problem is not so much security, pro se, but denial of service. That is, it is extremely easy to write regular expressions which take enormous amounts of time or memory to process.
Oh, come on. my_bigasslist=[] i=0 while(1): i=i+1 my_bigasslist.append('bla'*i) Gets zope to use >>100M in less than 2 secs on a lowly PII 350.
Worse, the processing time and space is extremely dependent on input, so that apparently well-tested code can suddenly become a liability when exposed to a less than friendly audience. (Think about a line-oriented regex that is furnished multi-megabyte line.)
if inputvar='killmyserver': my_bigassarray=[] i=0 while(1): i=i+1 my_bigassarray.append('bla'*i) else: return 'whoa, I was lucky'
To say it another way, using regex does not make it more likely that you will be cracked. It does make it more likely that your system will appear to be unresponsive, and, if memory exhaustion occurs, dead.
While the examples above wouldn't be written from anybody non-malicious in his right mind, I nonetheless think these arguments are dubious (mind you, I know you just cited them). The arguments Chris brought up in another post seem more convincing, but I just wanted to make sure that the reasoning you stated gets a rebuttal. cheers, oliver