Hi abhishek, The meaning of the expression is explained in the article; the point is not the usefulness of the expression but that it is "badly formed" so that the regex engine can take an extremely long time to determine that the test string does not match the expression (also explained in the article). The upshot is that regex expressions that "fail slowly" can be used by the bad guys to mount a Denial of Service attack against your site.
The problem with the expression "^(\d+)+$" is that it is trying to match groups of digits and a string of digits can be grouped in many permutations. If you try to match it against a long sting of digits (say 30) followed by a non-digit the regex engine will attempt to match every possible permutation before it gives up and decides it doesn't match which can take a very long time. On Mon, May 31, 2010 at 7:43 AM, abhishek jain <abhishek.netj...@gmail.com> wrote: > Hi Greg, > just a doubt , on looking at first sight i dont understand what does the > regex "^(\d+)+$" do additionally. > As it should be equivalent to "^(\d+)$" > > I am more perlish (from perl) biased which says the regex is greedy and > hence it will anyway to the maximum match, > pl. clarify, > > thanks > abhishek > > On Fri, May 28, 2010 at 12:42 AM, Greg Lindholm > <greg.lindh...@gmail.com>wrote: > >> This link is to an article that talks of how Denial of Service attacks >> can target vulnerable Regular Expressions. >> >> Regular Expression Denial of Service Attacks and Defenses >> http://msdn.microsoft.com/en-us/magazine/ff646973.aspx >> (Not sure if you need to login to see this page, I hope not.) >> >> A friend tested the example expression "^(\d+)+$" using the Java Regex >> library and discovered it is vulnerable and a badly formed 30 >> character string was taking over 2 minutes to determine that it didn't >> match. >> >> Struts 2 (and many other frameworks) use regular expressions in >> validation. I'm wondering if anyone has checked to see if any of the >> built in regex expressions are vulnerable, I'm thinking specifically >> of the email address validation? >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
