[Zope] Regular expressions insecurity?
Charlie Reiman
creiman@kefta.com
Tue, 21 Jan 2003 09:37:19 -0800
> -----Original Message-----
> From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Tue
> Wennerberg
> Sent: Saturday, January 18, 2003 8:23 AM
> To: zope@zope.org
> Subject: Re: [Zope] Regular expressions insecurity?
>
>
> Mike Renfro wrote:
>
> > On Fri, Jan 17, 2003 at 03:36:25PM +0100, Tue Wennerberg wrote:
> >
> >> Mike Renfro wrote:
> >
> >
> >
> >>> Basic summary: easy denial of service possibility if you have
> >>> untrusted users.
> >>
> >>
> >> But... If it's only a question of Denial of Service, how are regular
> >> expressions any different from python scripts. Surely, a site
> >> developer can simply make an infinite loop in his python script.
> >
> >
> >
> > Here's my guess for the difference: whatever code is contained in the
> > script is the developer's sole responsibility. However, a common regex
> > usage would require input from an untrusted *user* (at least on a
> > public site), and the developer can't necessarily plan for all
> > possible inputs that a malicious user might stick in there.
>
>
> I use regular expressions a lot, and the way I see it, no regexps would
> behave like that. So it isn't a problem. Also, it's widespread to use
> regular expressions in web sites written in Perl, and I've never heard
> of such a scenario occuring.
>
> I'm still puzzled as to why regular expressions are banned.
There was a discussion of this months ago. There are, IIRC, two big answers.
1) It's easy to write a regexp that sucks down time, above and beyond what
you would expect. Since Zope is often used as a general CMF for non
technical people, exposing regexes is a bad idea (I don't buy this answer
myself...)
2) The python regex package is in C and no one has written the security
wrapping code that Zope requires. I'm fuzzy on the details but this answer
makes a lot more sense.
Thus the answer is most likely that it is not exposed because no one got
around to it. Since the security risk is pretty small and you can easily
expose it yourself, I don't think there is much pressure to fix the problem
for real.