[Zope] More regular expressions security

Dylan Reinhardt Dylan@DylanReinhardt.com
Sun, 19 Jan 2003 10:42:48 -0800


At 10:17 AM 1/19/2003, Tue Wennerberg wrote:
>So it's a question of trust. But surely a script developer can be trusted 
>not to cause a DoS on the site he's working on! Script developers should 
>be empowered, not crippled!

Zope empowers the admin to control the environment.  If the admin trusts 
the developers, that trust can be extended... but it is appropriate that 
someone with command-line access should be involved any time a developer 
wants to run unrestricted code.  I think it's a question of preferring a 
configuration that is "more secure" by default and giving admins full power 
to loosen restrictions as they see fit.

>And some script developers don't have access to the file system.

That's exactly the point.

>So there it is. I'm writing this because I think that Zope is missing out 
>on a great feature, and because I haven't gotten any answers indicating 
>that there are other (worse) reasons why regular expressions are banned. 
>Am I wrong? Am I being silly here?

It might be fun and/or interesting to make a product that validates and 
performs regexes in a trustworthy fashion.  I'm not a regex guru, so I'm 
not sure exactly what level of validation is involved here.  Installing 
something like this would still require admin participation, but could hook 
into the existing access controls such that use of the product could be 
restricted on a per-developer basis.

Just thinkin'...

Dylan