[Zope] DTML, Zope and Regex

Thomas B. Passin tpassin@mitretek.org
Wed, 10 Jul 2002 13:57:59 -0400


[Charlie Reiman]

> I was agreeing with Toby, until it dawned on me that string.* is available
> unrestricted. Yes, my regexs may be vulnerable to a DOS attack if someone
> foists a 4M string at me. But so is string.index and string.rindex and
(even
> worse) string.lower. Besides, as Oliver points out, limiting access to re
> doesn't mean I can't write code that wantonly consumes all CPU and memory.
> His example is artificial but it could easily be modified to take
paramters
> from the HTTP REQUEST and still do stupid things.
>

Heck, if you want to drag the machine down, you do not need to import any
modules.  Try this:

str='this will really do it!'
for n in range(100000):
    str=str+str

500 MB gone in a few seconds...

Cheers,

Tom P