Tue Wennerberg wrote:
Regular expressions should be allowed by default.
I've spent some time trying to find out why regular expressions are not allowed in Zope throught-the-web development.
The answer I hear is: "Because it's a security issue". Digging a little deeper, it turns out to be because TTW script developers can cause a Denial of Service from Zope by writing a particular nasty regular expression in a script, causing Zope to use 100% cpu time.
Well, I vaguely remember having participated in a discussion about that also, and I believe I chipped in an example like: for a in range(0,1000): for b in range(0,1000): for c in range(0,1000): ... you get the picture. Thus demonstrating that a malicious scripter could always cause a DOS. The answer I got, IIRC, was that the point is not to guard against maliciousness, but against stupidity. And if you think about it, it's quite more likely someone writing a working, but extremely bad performing regexp, which kills the server as soon as put into production use, than someone accidently nesting loops like I wrote above. I don't know about you, but I think this argument is at least more convincing than the "malicious scripter" one. After all, the absence of strcpy() in python is a feature, isn't it? ;) cheers, oliver