[Zope] Re Re: Regular expressions insecurity?

Tue Wennerberg tue@wennerberg.dk
Mon, 20 Jan 2003 22:40:44 +0100


Dieter Maurer wrote:
> Tue Wennerberg wrote at 2003-1-19 18:05 +0100:
>  > Matt Young wrote:
>  > ...
>  > I love regular expressions too. But having to create an external method 
>  > is just too cumbersome for everyday work. I think Zope is missing out on 
>  > a great feature here, without getting more security in return.
> I think 1 generic External Methods will do it:
> 
>       External Method that has input parameters like "re.compile"
>       and returns a wrapper for the compiled regular expression.
> 
>       The wrapper can provide the methods of compiled regular
>       expressions, again wrapping the results if necessary (such
>       as for match objects).
> 
> Are you a volunteer?

Sure, but why is this a better solution than to allow 're' module by 
default? I'm not trying to be clever, I'm simply asking because I don't 
know :-)

I'm also trying to get peer review on the thought of allowing 're', 
because some people are claiming it's a security issue.

>  > I wish I could get some form of reply from a definitive source (core 
>  > developers, maybe?).
> I would need about an afternoon to implement it, but I did not
> yet need regular expressions in TTW code...

To justify my stubbornness: When I started with Zope, I asked for 
regular expressions. Two people in my Zope User Group asked for it, 
independently. Also, I've seen it once or twice on #zope.


-- 
Mvh. Tue Wennerberg
Civilingeniør og Freelance Udvikler
http://tuewennerberg.dk/ - tue@wennerberg.dk - (+45) 4043 6735