[Zope] Using regexes in DTML expressions

Duncan Booth duncan@rcp.co.uk
Wed, 10 Nov 1999 14:28:38 +0000


> On 11/10/99 4:46 AM, Duncan Booth at duncan@rcp.co.uk wrote:
> 
> > 
> > I cannot see any good reason why this change couldn't be included
> > in the release so I will submit it to the collector.
> 
> Remember that things aren't in the space for multiple reasons... *one* of
> them is resource issues.  You can't us range because of this.  're' is
> another that can cause HUGE resource problems, as well as allowing people to
> easily (and accidentally, I've done it dozens of times) write regexs which
> are infinitely recursive and crash the server.    Having said that, I
> suppose at some point in the future, it'd be nice to control exactly what is
> available in the name-space in a more flexible way, and let individual
> administrators decide.
> 
I understand your point (although I cannot ever remember having 
that particular problem with a regex myself), but it is a great pity that 
you cannot safely include regular expressions in DTML methods. I 
wonder whether there is a 'safe' subset of regular expressions that 
may be easily detected and permitted while rejecting the potentially 
dangerous ones?

Having said that I note that range is in fact permitted these days and 
limiting it to a maximum of 1000 prevents users accidentally killing 
the server, but does not prevent malicious use (or really unlucky 
use) as it can be nested. Equally DTML such as:
  <dtml-let s="'oops' * 1000 * 1000 * 10">
    <dtml-var s>
  </dtml-let>
I a very easy way to bring my system to its knees (for a little while at 
least, it does actually recover after a few minutes).

I wonder whether there is any easy way to get Python to limit a 
particular thread's cpu time and/or memory usage. Unfortunately I 
suspect the answer is 'not without impacting performance'?


-- 
Duncan Booth                                             duncan@dales.rmplc.co.uk
int month(char *p){return(124864/((p[0]+p[1]-p[2]&0x1f)+1)%12)["\5\x8\3"
"\6\7\xb\1\x9\xa\2\0\4"];} // Who said my code was obscure?
http://dales.rmplc.co.uk/Duncan