[Zope] More regular expressions security

Oliver Bleutgen myzope@gmx.net
Sun, 19 Jan 2003 20:11:45 +0100


Tue Wennerberg wrote:
> 
> Regular expressions should be allowed by default.
> 
> I've spent some time trying to find out why regular expressions are not 
> allowed in Zope throught-the-web development.
> 
> The answer I hear is: "Because it's a security issue". Digging a little 
> deeper, it turns out to be because TTW script developers can cause a 
> Denial of Service from Zope by writing a particular nasty regular 
> expression in a script, causing Zope to use 100% cpu time.

Well, I vaguely remember having participated in a discussion about that 
also, and I believe I chipped in an example like:

for a in range(0,1000):
   for b in range(0,1000):
     for c in range(0,1000):

... you get the picture.
Thus demonstrating that a malicious scripter could always cause a DOS. 
The answer I got, IIRC, was that the point is not to guard against 
maliciousness, but against stupidity. And if you think about it, it's 
quite more likely someone writing a working, but extremely bad 
performing regexp, which kills the server as soon as put into production 
use, than someone accidently nesting loops like I wrote above.
I don't know about you, but I think this argument is at least more 
convincing than the "malicious scripter" one.

After all, the absence of strcpy() in python is a feature, isn't it? ;)

cheers,
oliver