https://bugzilla.wikimedia.org/show_bug.cgi?id=19298
--- Comment #6 from Andrew Garrett <agarr...@wikimedia.org> 2009-06-19 19:43:44 UTC --- (In reply to comment #5) > Interesting idea. That would make a lot of sense. Not as powerful or "nice" > as Lua, but it's vastly saner syntax than StringFunctions. How easy would > that > be to write up? It wouldn't be difficult to make the abuse filter parser generic enough to include inline in wikitext. There would be a few things to clean up enough to actually deploy it inline on Wikimedia: * We'd want a more comprehensive testing suite to make sure nothing regressed. * We'd want to reimplement the parser either with a shunting-yard algorithm, and/or in C/C++, to handle the increased load the feature would undoubtedly get vis-a-vis the parser as used by the abuse filter. * I understand there are a few potential security holes with user-supplied regexes, including at least denial of service attacks by making very computationally-difficult regexes and running them against very large test strings. In the past there have been remote code execution vulnerabilities with user-supplied regexes. We'd need to find some way to work around this, or disable regexes. * Generally speaking, there are other ways to DoS (and maybe more) the servers with untrusted code. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
