On Wednesday 10 Jul 2002 4:49 pm, Oliver Bleutgen wrote:
As I understand it, the problem is not so much security, pro se, but denial of service. That is, it is extremely easy to write regular expressions which take enormous amounts of time or memory to process.
Oh, come on.
my_bigasslist=[] i=0 while(1): i=i+1 my_bigasslist.append('bla'*i)
Gets zope to use >>100M in less than 2 secs on a lowly PII 350.
It doesnt matter how easy it is to write a program that exhibits the problem. Rather, how easy it is to write a program that provably cannot exhibit the problem. The issue with regular expressions is similar to the problems that cause buffer overflow vulnerabilities in C programs. Even experts find it hard to write a non-trivial program that is completely free from problems. That doesnt mean that C or regular expressions do not have their uses, but I am pleased with the restriction that you cannot use them TTW.