[Zope] DTML, Zope and Regex
Toby Dickenson
tdickenson@geminidataloggers.com
Wed, 10 Jul 2002 17:12:08 +0100
On Wednesday 10 Jul 2002 4:49 pm, Oliver Bleutgen wrote:
> > As I understand it, the problem is not so much security, pro se, but
> > denial of service. That is, it is extremely easy to write regular
> > expressions which take enormous amounts of time or memory to process.
>
> Oh, come on.
>
> my_bigasslist=3D[]
> i=3D0
> while(1):
> i=3Di+1
> my_bigasslist.append('bla'*i)
>
> Gets zope to use >>100M in less than 2 secs on a lowly PII 350.
It doesnt matter how easy it is to write a program that exhibits the prob=
lem.=20
Rather, how easy it is to write a program that provably cannot exhibit th=
e=20
problem.
The issue with regular expressions is similar to the problems that cause=20
buffer overflow vulnerabilities in C programs. Even experts find it hard =
to=20
write a non-trivial program that is completely free from problems.
That doesnt mean that C or regular expressions do not have their uses, bu=
t I=20
am pleased with the restriction that you cannot use them TTW.