Oliver Bleutgen wrote:
Tue Wennerberg wrote:
Regular expressions should be allowed by default.
I've spent some time trying to find out why regular expressions are not allowed in Zope throught-the-web development.
The answer I hear is: "Because it's a security issue". Digging a little deeper, it turns out to be because TTW script developers can cause a Denial of Service from Zope by writing a particular nasty regular expression in a script, causing Zope to use 100% cpu time.
Well, I vaguely remember having participated in a discussion about that also, and I believe I chipped in an example like:
for a in range(0,1000): for b in range(0,1000): for c in range(0,1000):
... you get the picture.
Thus demonstrating that a malicious scripter could always cause a DOS.
My point exactly! The Zope book actually states: "Loop limits Scripts cannot create infinite loops. If your script loops a very large number of times Zope will raise an error. This restriction covers all kinds of loops including for and while loops. The reason or this restriction is to limit your ability to hang Zope by creating an infinite loop." But I'm pretty sure there's always a way around this. Probably your example is one. Point is, you should be able to trust your script developer.
The answer I got, IIRC, was that the point is not to guard against maliciousness, but against stupidity. And if you think about it, it's quite more likely someone writing a working, but extremely bad performing regexp, which kills the server as soon as put into production use, than someone accidently nesting loops like I wrote above. I don't know about you, but I think this argument is at least more convincing than the "malicious scripter" one.
Well, now we're getting somewhere. I believe that "guarding against stupidity" is a much more valid point. However, still not valid enough that regular expressions should be banned, since regular expressions would be such a great feature for Zope. In my eyes, a script developer should be trusted to create well-written code. In other words, badly developed scripts cause a badly developed site, which shouldn't surprise anyone. I don't think Zope should (or can) protect against stupidity. In my experience, when non-expert developers create regular expressions, they are always trivial expressions, which don't cause such problems. Of course a programming error shouldn't be able to shutdown an entire system, but that should be solved in another way (e.g. resource control for individual processes/threads). -- Mvh. Tue Wennerberg Civilingeniør og Freelance Udvikler http://tuewennerberg.dk/ - tue@wennerberg.dk - (+45) 4043 6735