[Zope] More regular expressions security
Tue Wennerberg
tue@wennerberg.dk
Sun, 19 Jan 2003 19:17:51 +0100
Regular expressions should be allowed by default.
I've spent some time trying to find out why regular expressions are not
allowed in Zope throught-the-web development.
The answer I hear is: "Because it's a security issue". Digging a little
deeper, it turns out to be because TTW script developers can cause a
Denial of Service from Zope by writing a particular nasty regular
expression in a script, causing Zope to use 100% cpu time.
So it's a question of trust. But surely a script developer can be
trusted not to cause a DoS on the site he's working on! Script
developers should be empowered, not crippled!
Some common objections:
"People can just write an external scripts instead." - True, but it also
makes everyday work much more cumbersome. And some script developers
don't have access to the file system. Surely, TTW scripts exist to make
life easier for site developers.
"The administrator can allow the 're' module." Also true, but some
people won't do that because they think it will expose their site to all
kind of attacks from anonymous users. This isn't the case (or is it?).
So there it is. I'm writing this because I think that Zope is missing
out on a great feature, and because I haven't gotten any answers
indicating that there are other (worse) reasons why regular expressions
are banned. Am I wrong? Am I being silly here?
Sincerely, Tue Wennerberg
Civilingeniør og Freelance Udvikler
http://tuewennerberg.dk/ - tue@wennerberg.dk - (+45) 4043 6735