On 2017-08-09, Cameron Simpson <[email protected]> wrote: > On 08Aug2017 17:31, Jon Ribbens <[email protected]> wrote: >>On 2017-08-08, Chris Angelico <[email protected]> wrote: >>> On Wed, Aug 9, 2017 at 2:57 AM, Larry Martell <[email protected]> >>> wrote: >>>> Yeah, it does not throw for 'A|B|' - but mysql chokes on it with empty >>>> subexpression for regexp' I'd like to flag it before it gets to SQL. >>> >>> Okay, so your definition of validity is "what MySQL will accept". In >>> that case, I'd feed it to MySQL and see if it accepts it. Regexps are >>> sufficiently varied that you really need to use the same engine for >>> validation as for execution. >> >>... but bear in mind, there have been ways of doing denial-of-service >>attacks with valid-but-nasty regexps in the past, and I wouldn't want >>to rely on there not being any now. > > The ones I've seen still require some input length (I'm thinking exponential > rematch backoff stuff here). I suspect that if your test query matches the RE > against a fixed empty string it is hard to be exploited. i.e. I think most of > this stuff isn't expensive in terms of compiling the regexp but in > executing it against text.
Well yes, but presumably if the OP is receiving regexps from users they will be executed against text sooner or later. -- https://mail.python.org/mailman/listinfo/python-list
