Jim Penny wrote:
On Wed, Jul 10, 2002 at 09:56:32AM -0700, Charlie Reiman wrote:
I was agreeing with Toby, until it dawned on me that string.* is available unrestricted. Yes, my regexs may be vulnerable to a DOS attack if someone foists a 4M string at me. But so is string.index and string.rindex and (even worse) string.lower. Besides, as Oliver points out, limiting access to re doesn't mean I can't write code that wantonly consumes all CPU and memory. His example is artificial but it could easily be modified to take paramters from the HTTP REQUEST and still do stupid things.
Yes, but at least each is linear w.r.t. input size. regexes can be exponential. Damn, I am trying to remember: it feels to me that they can be factorial (but this would be hard to do accidentally).
If the issue is resource (CPU or memory or disk) consumption, then trying to limit package availability is never going to be a 100% solution. To limit resource consumption, you must (wait for it....) limit resource consumption. In other words, requests need CPU timeouts and memory quotas.
True -- it is not, and was never intended to be a 100% solution. It was an engineering tradeoff. And I suspect that the needs of Zope Hosting providers was weighed heavily. They would want to be able to look at a user's code that was taking a lot of resource and quickly make a decision on whether to continue to have him as a customer. regexes would certainly make that more difficult. I don't know any of this, I am as far outside Zope decision making circles as can be.
I think I am beginning to understand the scope of the decision to exclude regex support: more security for the future Zope ISP's vs less convenience for the future Zope developers; however, don't you all think that potential Zope developers may be discouraged when they know they have to contact their ISP to install an external method or product if they have something that requires a simple regex in their DTML/TAL code, as opposed to a developer who is working on an Apache/PHP solution, and has all the functionality PHP offers including regex support (with the restrictions the admin imposes on users via php.ini) without having to ask anything special to the ISP (except if they need something more specialized like ImageMagick support)? Looks like the security issue may be stepping on the usability issue's toes, which ultimately may interfere into wider adoption as developers with access to their own boxes will be more likely to go for Zope than developer relying on ISP's. Wouldn't it be better to somehow limit how much 'damage' developers can do in their own work area (via the Monster module, or zoped.ini for example), and give them enough rope to hang themselves, but not to crash the system. Don't know if that is possible, just an idea.
So to rephrase the original question: Assuming I'm willing to risk the DOS attacks, is there any other security risk to opening up regexs for Zope use? Is there some way a hacker can assume control of my Zope server or change its content because I decided to utilize regexes in my Python scripts?
Not to my knowledge. In fact, I doubt it; the regex compilation process is completely uncontrollable by input, and I would be surprised if there were any problems in the match algorithm that could be exploited by input (although I seem to recall dimly problems with Unicode).
You don't have to tell me how, of course. Just let me know if it is possible.
Jim Penny
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
-- Jorge O. Martinez MIS Senior Associate FDCH-eMedia Inc. 2400 Forbes Blvd., Suite 200 Lanham, MD 20706 E-mail => jmartinez@eMediaMillWorks.com Phone => (301)731-1228 ext. 105 Fax => (301)731-0937