[Zope] Regular expressions insecurity?
Mike Renfro
renfro@tntech.edu
Fri, 17 Jan 2003 09:47:31 -0600
On Fri, Jan 17, 2003 at 03:36:25PM +0100, Tue Wennerberg wrote:
> Mike Renfro wrote:
> > Basic summary: easy denial of service possibility if you have
> > untrusted users.
>
> But... If it's only a question of Denial of Service, how are regular
> expressions any different from python scripts. Surely, a site
> developer can simply make an infinite loop in his python script.
Here's my guess for the difference: whatever code is contained in the
script is the developer's sole responsibility. However, a common regex
usage would require input from an untrusted *user* (at least on a
public site), and the developer can't necessarily plan for all
possible inputs that a malicious user might stick in there.
--
Mike Renfro / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University -- renfro@tntech.edu