daniel created this task. daniel added a subscriber: daniel. daniel added a project: Wikibase-Quality-Constraints. Herald added a subscriber: Aklapper. Herald added a project: Wikidata.
TASK DESCRIPTION Pattern constraints are based on regular expressions. Evaluating user supplied regular expressions on the server is however a potential DoS vector, since it is easy to write malicious expressions that would use a lot of CPU and RAM when evaluated, typically by causing //catastrophic backtracking//. Furthermore, care must be taken to prevent PHP code injection via the /e flag. For this reason, pattern constraints are currently disabled. This ticket calls for an investigation and implementation that would allow pattern constraints to be applied safely. This may be done by sufficiently sandboxing PCRE evaluation, or by moving to a different language for patterns (e.g. an extended version of glob, or a restricted form of regular expressions). Note that for the use case at hand, namely, validating external identifiers, the full power of regular expressions is not needed. A simpler subset that is restricted to greedy possessive matches (that is, no backtracking) may be sufficient. ---- Relevant thread on StackOverflow: https://stackoverflow.com/questions/31256970/how-do-i-sandbox-the-evaluation-of-user-supplied-patterns TASK DETAIL https://phabricator.wikimedia.org/T105126 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: daniel Cc: Aklapper, daniel, Wikidata-bugs, aude, Malyacko, P.Copp _______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
