10 Jul
2002
10 Jul
'02
5:57 p.m.
[Charlie Reiman]
I was agreeing with Toby, until it dawned on me that string.* is available unrestricted. Yes, my regexs may be vulnerable to a DOS attack if someone foists a 4M string at me. But so is string.index and string.rindex and (even worse) string.lower. Besides, as Oliver points out, limiting access to re doesn't mean I can't write code that wantonly consumes all CPU and memory. His example is artificial but it could easily be modified to take paramters from the HTTP REQUEST and still do stupid things.
Heck, if you want to drag the machine down, you do not need to import any modules. Try this: str='this will really do it!' for n in range(100000): str=str+str 500 MB gone in a few seconds... Cheers, Tom P