csteipp added a comment.
Yes, that's ok for now
TASK DETAIL
https://phabricator.wikimedia.org/T101467
EMAIL PREFERENCES
https://phabricator.wikimedia.org/settings/panel/emailpreferences/
To: Jonaskeutel, csteipp
Cc: thiemowmde, Jonaskeutel, Wikibase-Quality-Constraints, Aklapper,
thiemowmde added a subscriber: thiemowmde.
thiemowmde added a comment.
Sanitizing usually isn't going to work. The only solution is to only allow
certain user (usually administrators) to create and maintain these regular
expressions.
TASK DETAIL
https://phabricator.wikimedia.org/T101467
csteipp added a comment.
I'm not sure what kinds of regexes are expected here, so can't give great
guidance on the best solution. Theomowmde's solution of only allowing admins to
add them will prevent mass exploitation, but would still allow admins to attack
the server in the case of another
Jonaskeutel added a subscriber: Jonaskeutel.
Jonaskeutel added a comment.
We read about this and understand it's problematic, but we still have no idea
how to fix this issue. For concerns about the runtime we could add a timeout
which would lead in the worstcase to a false negative, but about