[Zope] Regular expressions insecurity?
Tue Wennerberg
tue@wennerberg.dk
Tue, 21 Jan 2003 21:54:59 +0100
Thank you for your answers.
Charlie Reiman wrote:
>
>
> There was a discussion of this months ago. There are, IIRC, two big answers.
>
> 1) It's easy to write a regexp that sucks down time, above and beyond what
> you would expect. Since Zope is often used as a general CMF for non
> technical people, exposing regexes is a bad idea (I don't buy this answer
> myself...)
>
> 2) The python regex package is in C and no one has written the security
> wrapping code that Zope requires. I'm fuzzy on the details but this answer
> makes a lot more sense.
Well yes, if regular expressions were a security risk. This seems to be
the general notion, but can anyone actually give an example?
> Thus the answer is most likely that it is not exposed because no one got
> around to it. Since the security risk is pretty small and you can easily
> expose it yourself, I don't think there is much pressure to fix the problem
> for real.
Guess not.
--
Mvh. Tue Wennerberg
Civilingeniør og Freelance Udvikler
http://tuewennerberg.dk/ - tue@wennerberg.dk - (+45) 4043 6735