[Zope-dev] Re: Collector #839: Zope, Include re module in _ namespace

Jim Fulton jim@digicool.com
Wed, 12 Apr 2000 09:38:56 -0400


tseaver@digicool.com wrote:
> 
> Duncan Booth reported:
> 
> > It would be very useful to have access to regular expression matching from DTML. Importing the re module into the _ namespace as is done for string, math and whrandom looks to me to be both safe and useful.
> >
> >
> 
> with patch:
> 
> > diff -r1.61 DT_Util.py
> > 205c205
> > < import string, math, whrandom
> > ---
> > > import string, math, whrandom, re
> > 219a220
> > > d['re']=re
> 
> I am reluctant to Go There -- regexp's are notoriously
> hard to get right, and when they go south, they often
> take the family silver with them. 

Yes.

> It would be fairly
> trivial to write a back-tracking regexp, even
> inadvertently, the execution of which would be an
> effective denial-of-service attack on the server.
> 
> DTML really isn't the right place for them, anyway:
> according to the prevailing wisdom of the zopemeisters,
> complicated logic belongs in Python, rather than in
> DTML.  (However, PythonMethods won't have access to
> the re module either without some help)

Right. Unless someone comes up with a "safe" re, one that
*cannot* cause infinate loops or core dumps, we won't
expose it in through the web code.
 
Jim

--
Jim Fulton           mailto:jim@digicool.com   Python Powered!        
Technical Director   (888) 344-4332            http://www.python.org  
Digital Creations    http://www.digicool.com   http://www.zope.org    

Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email
address may not be added to any commercial mail list with out my
permission.  Violation of my privacy with advertising or SPAM will
result in a suit for a MINIMUM of $500 damages/incident, $1500 for
repeats.