| Lucas_Werkmeister_WMDE added a comment. |
Because checking arbitrary regexes on arbitrary input opens us up to DoS attacks via malicious regexes (e. g. catastrophic backtracking – runtime of checking (x+x+)+y on xxx..xxx is quadratic in input length). This came up during the security review of the extension (T101467: Ex: WikibaseQualityConstraints - remove or sanitize regex for FormatChecker), and we eventually decided to check regexes on an external service instead, where queries are subject to a timeout (T102752: [RFC] Workaround for checking the format constraint).
TASK DETAIL
EMAIL PREFERENCES
To: Lucas_Werkmeister_WMDE
Cc: Krinkle, aaron, gerritbot, Ladsgroup, daniel, Aklapper, Jonas, Lucas_Werkmeister_WMDE, Lordiis, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, Lewizho99, Maathavan, Agabi10, Izno, Wikidata-bugs, aude, Mbch331
Cc: Krinkle, aaron, gerritbot, Ladsgroup, daniel, Aklapper, Jonas, Lucas_Werkmeister_WMDE, Lordiis, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, Lewizho99, Maathavan, Agabi10, Izno, Wikidata-bugs, aude, Mbch331
_______________________________________________ Wikidata-bugs mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
