[Top] [All Lists]

Re: Possible RegEx security problem.

2000-09-07 17:32:36
I'd call it a bad regex implementation. 

All implementations of anything have the potential of having bugs that
can be exploited for nefarious means. This extension definitely doesn't
introduce any additional concerns along those lines.

        Tony Hansen

Nigel Swinson wrote:

Hi folks,

In draft-murchison-sieve-regex-02.txt it says

    Security considerations are discussed in [SIEVE].  It is believed
    that this extension doesn't introduce any additional security

What if I write a regular expresssion that may be utterly meaningless, but
processor hungry.  Could we not potentially crash the server as it tries to
match this against part (or all) of the message?

I bring this up as I have just been working with a WIN32 RegEx
implementation that freezes up if you type in the regular expression


I'd rather not have a user type in this as a regular expression and freeze
up my mail server!

Is this a potential security problem, or have I just had a bad experience
with a bad RegEx implementation?


<Prev in Thread] Current Thread [Next in Thread>