[Zope] DTML, Zope and Regex

Wed, 10 Jul 2002 17:49:43 +0200

Jim Penny wrote:
> On Wed, Jul 10, 2002 at 03:17:14PM +0100, Ben Avery wrote:
> 
>>well, external methods are python scripts with no safety measures at 
>>all, so are potentially much more unsafe than any use of regexps in a 
>>python script. So I'd say it's better to allow the re module in your 
>>python scripts (see my previous post) than resort to external methods.
>>
>>but I also haven't come across a reason to consider regexps unsafe. I'm 
>>sure it's been discussed here before - could someone point us to a post 
>>on this subject, pls ?
> 
> 
> As I understand it, the problem is not so much security, pro se, but
> denial of service.  That is, it is extremely easy to write regular
> expressions which take enormous amounts of time or memory to process.

Oh, come on.

my_bigasslist=[]
i=0
while(1):
   i=i+1
   my_bigasslist.append('bla'*i)

Gets zope to use >>100M in less than 2 secs on a lowly PII 350.

> 
> Worse, the processing time and space is extremely dependent on input,
> so that apparently well-tested code can suddenly become a liability when
> exposed to a less than friendly audience.  (Think about a line-oriented 
> regex that is furnished multi-megabyte line.)

if inputvar='killmyserver':
   my_bigassarray=[]
   i=0
   while(1):
     i=i+1
     my_bigassarray.append('bla'*i)
else:
   return 'whoa, I was lucky'
> 
> To say it another way, using regex does not make it more likely that you
> will be cracked.  It does make it more likely that your system will
> appear to be unresponsive, and, if memory exhaustion occurs, dead.

While the examples above wouldn't be written from anybody non-malicious 
in his right mind, I nonetheless think these arguments are dubious (mind 
you, I know you just cited them).
The arguments Chris brought up in another post seem more convincing, but 
I just wanted to make sure that the reasoning you stated gets a rebuttal.

cheers,
oliver