Hi!
This reminds me of something. There's an interesting paper about ReDoS resilience in different regex engines. Some programming languages, including PHP, are evaluated there and compared: https://www.usenix.org/system/files/sec22-turonova.pdf PHP has some configuration knobs for pcre (https://www.php.net/manual/en/pcre.configuration.php), not a lot to tune but maybe they can be? To be honest, I haven't looked much into this.
Interesting topics, but I think not the top priority for the security audit, due to the fact that in PHP common use, regexps rarely come from a third party, and if they do (e.g. if you're writing a RE-driven search engine) you'd probably have potentially expensive searches anyway and thus make some ways to deal with it.
In general, I think there are two security aspects we're dealing with - one is guarding PHP user from a hostile third party, and another is guarding PHP developer from writing the code that may expose the end user. I think the former is the higher priority, though both are ultimately important.
Thanks, -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php