[Zope] DTML, Zope and Regex
Jim Penny
jpenny@universal-fasteners.com
Wed, 10 Jul 2002 11:11:11 -0400
On Wed, Jul 10, 2002 at 03:17:14PM +0100, Ben Avery wrote:
> well, external methods are python scripts with no safety measures at
> all, so are potentially much more unsafe than any use of regexps in a
> python script. So I'd say it's better to allow the re module in your
> python scripts (see my previous post) than resort to external methods.
>
> but I also haven't come across a reason to consider regexps unsafe. I'm
> sure it's been discussed here before - could someone point us to a post
> on this subject, pls ?
As I understand it, the problem is not so much security, pro se, but
denial of service. That is, it is extremely easy to write regular
expressions which take enormous amounts of time or memory to process.
Worse, the processing time and space is extremely dependent on input,
so that apparently well-tested code can suddenly become a liability when
exposed to a less than friendly audience. (Think about a line-oriented
regex that is furnished multi-megabyte line.)
To say it another way, using regex does not make it more likely that you
will be cracked. It does make it more likely that your system will
appear to be unresponsive, and, if memory exhaustion occurs, dead.
Jim Penny
>
>
> Jorge O. Martinez wrote: