Re: [Zope] Regular expressions insecurity?
Mike Renfro wrote:
On Fri, Jan 17, 2003 at 02:04:57PM +0100, Tue Wennerberg wrote:
I pretty much knew it was a FAQ (should have mentioned that). It came up on our local user group list twice this week. But.. I've googled, I've searched Zope.org and I've checked the archives for this mailing list, but never found an actual explanation.
http://zope.nipltd.com/public/lists/zope-archive.nsf/ByKey/B2A709748C869DA5
Basic summary: easy denial of service possibility if you have untrusted users.
Thank you very much. I did read that mail, but apparently not thoroughly enough. But... If it's only a question of Denial of Service, how are regular expressions any different from python scripts. Surely, a site developer can simply make an infinite loop in his python script. On that basis, I claim that either regular expressions should be allowed, or python scripts should be banned! What am I missing? -- Mvh. Tue Wennerberg Civilingeniør og Freelance Udvikler http://tuewennerberg.dk/ - tue@wennerberg.dk - (+45) 4043 6735
On Fri, Jan 17, 2003 at 03:36:25PM +0100, Tue Wennerberg wrote:
Mike Renfro wrote:
Basic summary: easy denial of service possibility if you have untrusted users.
But... If it's only a question of Denial of Service, how are regular expressions any different from python scripts. Surely, a site developer can simply make an infinite loop in his python script.
Here's my guess for the difference: whatever code is contained in the script is the developer's sole responsibility. However, a common regex usage would require input from an untrusted *user* (at least on a public site), and the developer can't necessarily plan for all possible inputs that a malicious user might stick in there. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- renfro@tntech.edu
participants (2)
-
Mike Renfro -
Tue Wennerberg