[Zope] More regular expressions security
Oliver Bleutgen
myzope@gmx.net
Sun, 19 Jan 2003 20:11:45 +0100
Tue Wennerberg wrote:
>
> Regular expressions should be allowed by default.
>
> I've spent some time trying to find out why regular expressions are not
> allowed in Zope throught-the-web development.
>
> The answer I hear is: "Because it's a security issue". Digging a little
> deeper, it turns out to be because TTW script developers can cause a
> Denial of Service from Zope by writing a particular nasty regular
> expression in a script, causing Zope to use 100% cpu time.
Well, I vaguely remember having participated in a discussion about that
also, and I believe I chipped in an example like:
for a in range(0,1000):
for b in range(0,1000):
for c in range(0,1000):
... you get the picture.
Thus demonstrating that a malicious scripter could always cause a DOS.
The answer I got, IIRC, was that the point is not to guard against
maliciousness, but against stupidity. And if you think about it, it's
quite more likely someone writing a working, but extremely bad
performing regexp, which kills the server as soon as put into production
use, than someone accidently nesting loops like I wrote above.
I don't know about you, but I think this argument is at least more
convincing than the "malicious scripter" one.
After all, the absence of strcpy() in python is a feature, isn't it? ;)
cheers,
oliver