[Zope] Using regexes in DTML expressions
Duncan Booth
duncan@rcp.co.uk
Wed, 10 Nov 1999 14:28:38 +0000
> On 11/10/99 4:46 AM, Duncan Booth at duncan@rcp.co.uk wrote:
>
> >
> > I cannot see any good reason why this change couldn't be included
> > in the release so I will submit it to the collector.
>
> Remember that things aren't in the space for multiple reasons... *one* of
> them is resource issues. You can't us range because of this. 're' is
> another that can cause HUGE resource problems, as well as allowing people to
> easily (and accidentally, I've done it dozens of times) write regexs which
> are infinitely recursive and crash the server. Having said that, I
> suppose at some point in the future, it'd be nice to control exactly what is
> available in the name-space in a more flexible way, and let individual
> administrators decide.
>
I understand your point (although I cannot ever remember having
that particular problem with a regex myself), but it is a great pity that
you cannot safely include regular expressions in DTML methods. I
wonder whether there is a 'safe' subset of regular expressions that
may be easily detected and permitted while rejecting the potentially
dangerous ones?
Having said that I note that range is in fact permitted these days and
limiting it to a maximum of 1000 prevents users accidentally killing
the server, but does not prevent malicious use (or really unlucky
use) as it can be nested. Equally DTML such as:
<dtml-let s="'oops' * 1000 * 1000 * 10">
<dtml-var s>
</dtml-let>
I a very easy way to bring my system to its knees (for a little while at
least, it does actually recover after a few minutes).
I wonder whether there is any easy way to get Python to limit a
particular thread's cpu time and/or memory usage. Unfortunately I
suspect the answer is 'not without impacting performance'?
--
Duncan Booth duncan@dales.rmplc.co.uk
int month(char *p){return(124864/((p[0]+p[1]-p[2]&0x1f)+1)%12)["\5\x8\3"
"\6\7\xb\1\x9\xa\2\0\4"];} // Who said my code was obscure?
http://dales.rmplc.co.uk/Duncan