On Thu, 2015-12-24 at 14:06 +0000, Finucane, Stephen wrote: > > > Paths are validated by trying to compile it as a regexp using a > > custom > > validator. > > > > Signed-off-by: Laurent Pinchart <[email protected]> > > Signed-off-by: Mauro Carvalho Chehab <[email protected]> > > Some small nits that I can fix myself. Other than that, > A small comment that may or may not be relevant - but there's a bunch of things one can do with regexes, from taking a lot of CPU to taking a lot of memory.
What's the trust model for running regexes? I haven't found it in the patches easily right now. If it's configured only in the config file it should be OK, but if any kind of remote user can configure it then it may need safeguards of some kind? I'm just thinking of a use case like kernel.org where you don't really even trust the people who are the typical delegates/admins in patchwork for a given project, since they are pretty much just random people the admin doesn't necessarily trust much. (Or put another way - I'd hate for them to patch out/disable this feature because of security concerns, since I'd want to use it on kernel.org, but I'm not sure the admins would want me configuring arbitrary regexes there) johannes _______________________________________________ Patchwork mailing list [email protected] https://lists.ozlabs.org/listinfo/patchwork
