On Wed, Aug 9, 2017 at 8:33 PM, Cameron Simpson <[email protected]> wrote: > On 09Aug2017 10:46, Jon Ribbens <[email protected]> wrote: >> >> On 2017-08-09, Cameron Simpson <[email protected]> wrote: >>> >>> On 08Aug2017 17:31, Jon Ribbens <[email protected]> wrote: >>>> >>>> ... but bear in mind, there have been ways of doing denial-of-service >>>> attacks with valid-but-nasty regexps in the past, and I wouldn't want >>>> to rely on there not being any now. >>> >>> >>> The ones I've seen still require some input length (I'm thinking >>> exponential >>> rematch backoff stuff here). I suspect that if your test query matches >>> the RE >>> against a fixed empty string it is hard to be exploited. i.e. I think >>> most of >>> this stuff isn't expensive in terms of compiling the regexp but in >>> executing it against text. >> >> >> Well yes, but presumably if the OP is receiving regexps from users >> they will be executed against text sooner or later. > > > True, but the OP (Larry) was after validation. > > The risk then depends on the degree of trust in the user. If the user is a > random person-from-the-internets, sure there's a risk there. However, if the > regexp is part of some internal configuration being set up by trusted people > (eg staff pursuing a goal) then validation will normally be enough. > > Of course, that is a call for Larry to make, not us, but it need to be > bourne in mind by him.
The input comes from in house people, not from the internet. -- https://mail.python.org/mailman/listinfo/python-list
