On 2017-08-10, Cameron Simpson <[email protected]> wrote: > On 09Aug2017 10:46, Jon Ribbens <[email protected]> wrote: >>On 2017-08-09, Cameron Simpson <[email protected]> wrote: >>> On 08Aug2017 17:31, Jon Ribbens <[email protected]> wrote: >>>>... but bear in mind, there have been ways of doing denial-of-service >>>>attacks with valid-but-nasty regexps in the past, and I wouldn't want >>>>to rely on there not being any now. >>> >>> The ones I've seen still require some input length (I'm thinking >>> exponential rematch backoff stuff here). I suspect that if your >>> test query matches the RE against a fixed empty string it is hard >>> to be exploited. i.e. I think most of this stuff isn't expensive >>> in terms of compiling the regexp but in executing it against text. >> >>Well yes, but presumably if the OP is receiving regexps from users >>they will be executed against text sooner or later. > > True, but the OP (Larry) was after validation. > > The risk then depends on the degree of trust in the user. If the user is a > random person-from-the-internets, sure there's a risk there. However, if the > regexp is part of some internal configuration being set up by trusted people > (eg staff pursuing a goal) then validation will normally be enough. > > Of course, that is a call for Larry to make, not us, but it need to be bourne > in mind by him.
Yes... hence my mentioning it. -- https://mail.python.org/mailman/listinfo/python-list
