[Zope] DTML, Zope and Regex

Oliver Bleutgen myzope@gmx.net
Wed, 10 Jul 2002 18:49:54 +0200 

Toby Dickenson wrote:
> On Wednesday 10 Jul 2002 4:49 pm, Oliver Bleutgen wrote:
> 
> 
>>>As I understand it, the problem is not so much security, pro se, but
>>>denial of service.  That is, it is extremely easy to write regular
>>>expressions which take enormous amounts of time or memory to process.
>>
>>Oh, come on.
>>
>>my_bigasslist=[]
>>i=0
>>while(1):
>>   i=i+1
>>   my_bigasslist.append('bla'*i)
>>
>>Gets zope to use >>100M in less than 2 secs on a lowly PII 350.
> 
> 
> It doesnt matter how easy it is to write a program that exhibits the problem. 
> Rather, how easy it is to write a program that provably cannot exhibit the 
> problem.
> 
> The issue with regular expressions is similar to the problems that cause 
> buffer overflow vulnerabilities in C programs. Even experts find it hard to 
> write a non-trivial program that is completely free from problems.
> 
> That doesnt mean that C or regular expressions do not have their uses, but I 
> am pleased with the restriction that you cannot use them TTW.


Well, if *you* are concerned that *you* *yourself* might shoot yourself 
in the food when using regex, the solution would be simple:

Don't use them. Easy.

Together with the fact the I am quite sure that *you* are not in great 
danger to do something very stupid with regex, I conclude that you have 
users which you don't trust if they had the power to use regex in python 
scripts.
Ok, maybe this is a problem - maybe not. But then it would be more 
logical IMO to find a way to make python scripts more secure without 
sacrificing usability that much.

Maybe the ability to impose resource limits on scripts individually, 
like for memory consumption and processing time, if that's possible?

Btw. there seems to be something not quite optimal w.r.t. some kind of 
resource limit that seems to be present right now. I ran the code I 
posted just fur the fun of it and forgot that. After some time I got a 
out of memory exception (don't remember the exact name), but apparently 
that didn't cause python to release the memory again. My machine was 
completely unusable after that - segfaults on nearly everything I tried 
on the CLI until I killed that zope.

Is that a bug?


I'd say limiting the abilities of python scripts concerning the ability 
to break out of their zope sandbox should be enough. And the modules 
which are allowed to be imported should be measured by this criteria and 
probably some other stuff I'm absolutly not qualified to comment on, 
like what Chris said about modules returning non-python types.

Again, I'm far from religious about this issue, it's just that I think 
the reasons often brought up about restrictions of the script(python) 
object and dtml should be choosen more carefully.



cheers,
oliver