[Zope] Regular expressions insecurity?
Tue Wennerberg
tue@wennerberg.dk
Sat, 18 Jan 2003 17:22:46 +0100
Mike Renfro wrote:
> On Fri, Jan 17, 2003 at 03:36:25PM +0100, Tue Wennerberg wrote:
>
>> Mike Renfro wrote:
>
>
>
>>> Basic summary: easy denial of service possibility if you have
>>> untrusted users.
>>
>>
>> But... If it's only a question of Denial of Service, how are regular
>> expressions any different from python scripts. Surely, a site
>> developer can simply make an infinite loop in his python script.
>
>
>
> Here's my guess for the difference: whatever code is contained in the
> script is the developer's sole responsibility. However, a common regex
> usage would require input from an untrusted *user* (at least on a
> public site), and the developer can't necessarily plan for all
> possible inputs that a malicious user might stick in there.
I use regular expressions a lot, and the way I see it, no regexps would
behave like that. So it isn't a problem. Also, it's widespread to use
regular expressions in web sites written in Perl, and I've never heard
of such a scenario occuring.
I'm still puzzled as to why regular expressions are banned.
--
Mvh. Tue Wennerberg
Civilingeniør og Freelance Udvikler
http://tuewennerberg.dk/ - tue@wennerberg.dk - (+45) 4043 6735