[Zope] More regular expressions security

[Oliver Bleutgen]

Tue Wennerberg wrote:

> 
> Well, now we're getting somewhere. I believe that "guarding against 
> stupidity" is a much more valid point. However, still not valid enough 
> that regular expressions should be banned, since regular expressions 
> would be such a great feature for Zope.

It's not as you couldn't use regexps in zope, it's just not as easy as 
you like it to be.

> In my eyes, a script developer should be trusted to create well-written 
> code. In other words, badly developed scripts cause a badly developed 
> site, which shouldn't surprise anyone. I don't think Zope should (or 
> can) protect against stupidity.   In my experience, when non-expert
> developers create regular expressions, they are always trivial 
> expressions, which don't cause such problems.
> 
> Of course a programming error shouldn't be able to shutdown an entire 
> system, but that should be solved in another way (e.g. resource control 
> for individual processes/threads).

Well, now you are contradicting yourself, IMO. First you assert that 
zope shouldn't protect against stupidity, then you want to have resource 
control. Resource control can give a lot of support headaches, and 
everywhere it is used it causes a lot of mailing list traffic (linux OOM 
killer is a prominent example). For various reasons the problem to 
implement something like that in zope would be even more of a headache, 
I assume, and it's much less needed. Somewhere the line has to be drawn, 
and I think what is done in zope is quite reasonable, albeit arguable. 
Anyway, I have no strong feelings one way or the other, just wanted to 
pass on what I have learned from the same discussion.


cheers,
oliver