[Zope] More regular expressions security

Tue Wennerberg tue@wennerberg.dk
Sun, 19 Jan 2003 22:44:37 +0100 

Oliver Bleutgen wrote:
> Tue Wennerberg wrote:
> 
>>
>> Well, now we're getting somewhere. I believe that "guarding against 
>> stupidity" is a much more valid point. However, still not valid enough 
>> that regular expressions should be banned, since regular expressions 
>> would be such a great feature for Zope.
> 
> 
> It's not as you couldn't use regexps in zope, it's just not as easy as 
> you like it to be.
> 
>> In my eyes, a script developer should be trusted to create 
>> well-written code. In other words, badly developed scripts cause a 
>> badly developed site, which shouldn't surprise anyone. I don't think 
>> Zope should (or can) protect against stupidity.   In my experience, 
>> when non-expert
>> developers create regular expressions, they are always trivial 
>> expressions, which don't cause such problems.
>>
>> Of course a programming error shouldn't be able to shutdown an entire 
>> system, but that should be solved in another way (e.g. resource 
>> control for individual processes/threads).
> 
> 
> Well, now you are contradicting yourself, IMO. First you assert that 
> zope shouldn't protect against stupidity, then you want to have resource 
> control. Resource control can give a lot of support headaches, and 
> everywhere it is used it causes a lot of mailing list traffic (linux OOM 
> killer is a prominent example). For various reasons the problem to 
> implement something like that in zope would be even more of a headache, 
> I assume, and it's much less needed. Somewhere the line has to be drawn, 
> and I think what is done in zope is quite reasonable, albeit arguable. 
> Anyway, I have no strong feelings one way or the other, just wanted to 
> pass on what I have learned from the same discussion.

I appreciate your input, too!

I didn't mean to contradict myself :-) What I meant to say was that when 
choosing between

  (a) regular expressions working by default, or
  (b) protecting against rare cases of stupidity,

I think (a) should be chosen and I'm surprised it hasn't been.

I also think it's bad for Zope that regular expressions have gotten a 
reputation of being insecure, when they really aren't. On the contrary, 
the conscientious developer will use them for validating input 
parameters, thereby increasing security.

-- 
Mvh. Tue Wennerberg
Civilingeniør og Freelance Udvikler
http://tuewennerberg.dk/ - tue@wennerberg.dk - (+45) 4043 6735