Re: Regular expressions insecurity? (Tue Wennerberg)
<educated_guess> I think xrange() is limited in Zope so that you can't use it to produce a huge auxillary d.s. (list of numbers to iterate over). A nasty re on the right data would probably produce some huge data structures too. Can't rewrite every package for Zope... </educated_guess> Pity because I love re. But of course you can probably get by with an external method. Matt __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Matt Young wrote:
Re: Regular expressions insecurity? (Tue Wennerberg)
<educated_guess> I think xrange() is limited in Zope so that you can't use it to produce a huge auxillary d.s. (list of numbers to iterate over). A nasty re on the right data would probably produce some huge data structures too. Can't rewrite every package for Zope... </educated_guess>
Pity because I love re. But of course you can probably get by with an external method.
I love regular expressions too. But having to create an external method is just too cumbersome for everyday work. I think Zope is missing out on a great feature here, without getting more security in return. I wish I could get some form of reply from a definitive source (core developers, maybe?). -- Mvh. Tue Wennerberg Civilingeniør og Freelance Udvikler http://tuewennerberg.dk/ - tue@wennerberg.dk - (+45) 4043 6735
Tue Wennerberg wrote at 2003-1-19 18:05 +0100:
Matt Young wrote: ... I love regular expressions too. But having to create an external method is just too cumbersome for everyday work. I think Zope is missing out on a great feature here, without getting more security in return. I think 1 generic External Methods will do it:
External Method that has input parameters like "re.compile" and returns a wrapper for the compiled regular expression. The wrapper can provide the methods of compiled regular expressions, again wrapping the results if necessary (such as for match objects). Are you a volunteer?
I wish I could get some form of reply from a definitive source (core developers, maybe?). I would need about an afternoon to implement it, but I did not yet need regular expressions in TTW code...
Dieter
Dieter Maurer wrote:
Tue Wennerberg wrote at 2003-1-19 18:05 +0100:
Matt Young wrote: ... I love regular expressions too. But having to create an external method is just too cumbersome for everyday work. I think Zope is missing out on a great feature here, without getting more security in return. I think 1 generic External Methods will do it:
External Method that has input parameters like "re.compile" and returns a wrapper for the compiled regular expression.
The wrapper can provide the methods of compiled regular expressions, again wrapping the results if necessary (such as for match objects).
Are you a volunteer?
Sure, but why is this a better solution than to allow 're' module by default? I'm not trying to be clever, I'm simply asking because I don't know :-) I'm also trying to get peer review on the thought of allowing 're', because some people are claiming it's a security issue.
I wish I could get some form of reply from a definitive source (core developers, maybe?). I would need about an afternoon to implement it, but I did not yet need regular expressions in TTW code...
To justify my stubbornness: When I started with Zope, I asked for regular expressions. Two people in my Zope User Group asked for it, independently. Also, I've seen it once or twice on #zope. -- Mvh. Tue Wennerberg Civilingeniør og Freelance Udvikler http://tuewennerberg.dk/ - tue@wennerberg.dk - (+45) 4043 6735
Tue Wennerberg wrote at 2003-1-20 22:40 +0100:
Dieter Maurer wrote:
I think 1 generic External Methods will do it:
External Method that has input parameters like "re.compile" and returns a wrapper for the compiled regular expression.
The wrapper can provide the methods of compiled regular expressions, again wrapping the results if necessary (such as for match objects).
Are you a volunteer?
Sure, but why is this a better solution than to allow 're' module by default? I'm not trying to be clever, I'm simply asking because I don't know :-) It is not that trivial.
The "re" engine creates type instances ("compiled regular expression"; "match"). In order to use them, they must get security declarations. However, they are not prepared for the corresponding assignments. Therefore, wrapper classes are necessary. They provide the security declarations and delegate method calls to the wrapped instances. Dieter
participants (3)
-
Dieter Maurer -
Matt Young -
Tue Wennerberg