[Zope] DTML, Zope and Regex

Jorge O. Martinez jmartinez@eMediaMillWorks.com
Wed, 10 Jul 2002 13:32:39 -0400 

Jim Penny wrote:
> On Wed, Jul 10, 2002 at 09:56:32AM -0700, Charlie Reiman wrote:
> 
>>I was agreeing with Toby, until it dawned on me that string.* is available
>>unrestricted. Yes, my regexs may be vulnerable to a DOS attack if someone
>>foists a 4M string at me. But so is string.index and string.rindex and (even
>>worse) string.lower. Besides, as Oliver points out, limiting access to re
>>doesn't mean I can't write code that wantonly consumes all CPU and memory.
>>His example is artificial but it could easily be modified to take paramters
>>from the HTTP REQUEST and still do stupid things.
> 
> 
> Yes, but at least each is linear w.r.t. input size.  regexes can be
> exponential.  Damn, I am trying to remember: it feels to me that they
> can be factorial (but this would be hard to do accidentally).
> 
> 
>>If the issue is resource (CPU or memory or disk) consumption, then trying to
>>limit package availability is never going to be a 100% solution. To limit
>>resource consumption, you must (wait for it....) limit resource consumption.
>>In other words, requests need CPU timeouts and memory quotas.
> 
> 
> True -- it is not, and was never intended to be a 100% solution.  It was
> an engineering tradeoff.  And I suspect that the needs of Zope Hosting
> providers was weighed heavily.  They would want to be able to look at a
> user's code that was taking a lot of resource and quickly make a
> decision on whether to continue to have him as a customer.  regexes
> would certainly make that more difficult.  I don't know any of this, I
> am as far outside Zope decision making circles as can be.

I think I am beginning to understand the scope of the decision to exclude regex 
support: more security for the future Zope ISP's vs less convenience for the 
future Zope developers; however, don't you all think that potential Zope 
developers may be discouraged when they know they have to contact their ISP to 
install an external method or product if they have something that requires a 
simple regex in their DTML/TAL code, as opposed to a developer who is working 
on an Apache/PHP solution, and has all the functionality PHP offers including 
regex support (with the restrictions the admin imposes on users via php.ini) 
without having to ask anything special to the ISP (except if they need 
something more specialized like ImageMagick support)?

Looks like the security issue  may be stepping on the usability issue's toes, 
which ultimately may interfere into wider adoption as developers with access to 
their own boxes will be more likely to go for Zope than developer relying on 
ISP's.

Wouldn't it be better to somehow limit how much 'damage' developers can do in 
their own work area (via the Monster module, or zoped.ini for example), and 
give them enough rope to hang themselves, but not to crash the system. Don't 
know if that is possible, just an idea.

> 
> 
>>So to rephrase the original question: Assuming I'm willing to risk the DOS
>>attacks, is there any other security risk to opening up regexs for Zope use?
>>Is there some way a hacker can assume control of my Zope server or change
>>its content because I decided to utilize regexes in my Python scripts?
> 
> 
> Not to my knowledge.  In fact, I doubt it; the regex compilation process
> is completely uncontrollable by input, and I would be surprised if there
> were any problems in the match algorithm that could be exploited by
> input (although I seem to recall dimly problems with Unicode).
> 
> 
>>You don't have to tell me how, of course. Just let me know if it is
>>possible.
> 
> 
> Jim Penny
> 
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
> 



-- 
Jorge O. Martinez
MIS Senior Associate
FDCH-eMedia Inc.
2400 Forbes Blvd., Suite 200
Lanham, MD 20706
E-mail  => jmartinez@eMediaMillWorks.com
Phone   => (301)731-1228 ext. 105
Fax     => (301)731-0937