[Zope] DTML, Zope and Regex

Charlie Reiman creiman@kefta.com
Wed, 10 Jul 2002 09:56:32 -0700


I was agreeing with Toby, until it dawned on me that string.* is available
unrestricted. Yes, my regexs may be vulnerable to a DOS attack if someone
foists a 4M string at me. But so is string.index and string.rindex and (even
worse) string.lower. Besides, as Oliver points out, limiting access to re
doesn't mean I can't write code that wantonly consumes all CPU and memory.
His example is artificial but it could easily be modified to take paramters
from the HTTP REQUEST and still do stupid things.

If the issue is resource (CPU or memory or disk) consumption, then trying to
limit package availability is never going to be a 100% solution. To limit
resource consumption, you must (wait for it....) limit resource consumption.
In other words, requests need CPU timeouts and memory quotas.

So to rephrase the original question: Assuming I'm willing to risk the DOS
attacks, is there any other security risk to opening up regexs for Zope use?
Is there some way a hacker can assume control of my Zope server or change
its content because I decided to utilize regexes in my Python scripts?

You don't have to tell me how, of course. Just let me know if it is
possible.

> -----Original Message-----
> From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Toby
> Dickenson
> Sent: Wednesday, July 10, 2002 9:12 AM
> To: Oliver Bleutgen; zope@zope.org
> Subject: Re: [Zope] DTML, Zope and Regex
>
>
> On Wednesday 10 Jul 2002 4:49 pm, Oliver Bleutgen wrote:
>
> > > As I understand it, the problem is not so much security, pro se, but
> > > denial of service.  That is, it is extremely easy to write regular
> > > expressions which take enormous amounts of time or memory to process.
> >
> > Oh, come on.
> >
> > my_bigasslist=[]
> > i=0
> > while(1):
> >    i=i+1
> >    my_bigasslist.append('bla'*i)
> >
> > Gets zope to use >>100M in less than 2 secs on a lowly PII 350.
>
> It doesnt matter how easy it is to write a program that exhibits
> the problem.
> Rather, how easy it is to write a program that provably cannot
> exhibit the
> problem.
>
> The issue with regular expressions is similar to the problems that cause
> buffer overflow vulnerabilities in C programs. Even experts find
> it hard to
> write a non-trivial program that is completely free from problems.
>
> That doesnt mean that C or regular expressions do not have their
> uses, but I
> am pleased with the restriction that you cannot use them TTW.
>
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>