On Fri, Jan 17, 2003 at 03:36:25PM +0100, Tue Wennerberg wrote:
Mike Renfro wrote:
Basic summary: easy denial of service possibility if you have untrusted users.
But... If it's only a question of Denial of Service, how are regular expressions any different from python scripts. Surely, a site developer can simply make an infinite loop in his python script.
Here's my guess for the difference: whatever code is contained in the script is the developer's sole responsibility. However, a common regex usage would require input from an untrusted *user* (at least on a public site), and the developer can't necessarily plan for all possible inputs that a malicious user might stick in there. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- renfro@tntech.edu