[Top] [All Lists]

Re: Possible RegEx security problem.

2000-09-08 00:42:38
On 2000-09-07 at 20:33 -0400, Tony Hansen wrote:
All implementations of anything have the potential of having bugs that
can be exploited for nefarious means. This extension definitely doesn't
introduce any additional concerns along those lines.

Aren't regexes inherently more _likely_ to cause optimisation problems
in an implementation, because of the greater expressive power?

But then, it's an extension, so sites which worry about their users
doing this are free to not provide it.  :^)

But should the draft be amended to note that any implementation is
likely to carry a higher processing overhead than the globbing used by
:matches and sites should take this into consideration when deciding
whether or not to provide it?

I bring this up as I have just been working with a WIN32 RegEx
implementation that freezes up if you type in the regular expression


I'd rather not have a user type in this as a regular expression and freeze
up my mail server!

Is this a potential security problem, or have I just had a bad experience
with a bad RegEx implementation?

That level of effect is a bad implementation.  But generally speaking,
regular expression matching is more resource intensive [1] than globbing
or straight string comparison.

[1] Unsubstantiated claim alert.  It's true, honest; I just don't want
    to have to find academic references at this unearthly hour of the
Phil Pennock                        <pdp(_at_)nl(_dot_)demon(_dot_)net> 
Demon Internet Nederland -- Network Operations Centre -- Systems Administrator
Libertes philosophica.
Sales: +31 20 422 20 00                                Support: 0800 33 6666 8

<Prev in Thread] Current Thread [Next in Thread>