Hi Greg, just a doubt , on looking at first sight i dont understand what does the regex "^(\d+)+$" do additionally. As it should be equivalent to "^(\d+)$"
I am more perlish (from perl) biased which says the regex is greedy and hence it will anyway to the maximum match, pl. clarify, thanks abhishek On Fri, May 28, 2010 at 12:42 AM, Greg Lindholm <greg.lindh...@gmail.com>wrote: > This link is to an article that talks of how Denial of Service attacks > can target vulnerable Regular Expressions. > > Regular Expression Denial of Service Attacks and Defenses > http://msdn.microsoft.com/en-us/magazine/ff646973.aspx > (Not sure if you need to login to see this page, I hope not.) > > A friend tested the example expression "^(\d+)+$" using the Java Regex > library and discovered it is vulnerable and a badly formed 30 > character string was taking over 2 minutes to determine that it didn't > match. > > Struts 2 (and many other frameworks) use regular expressions in > validation. I'm wondering if anyone has checked to see if any of the > built in regex expressions are vulnerable, I'm thinking specifically > of the email address validation? > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
