Boost logo

Boost Users :

Subject: [Boost-users] [regex] Mitigating mischief and malice
From: Jim Bell (Jim_at_[hidden])
Date: 2011-02-27 18:28:31


Say you wanted to give web users a boost::regex interface to a set of
data, knowing that some will try to use it for mischief and malice. I'm
vaguely aware that one can write a regex to consume lots of CPU
(denial-of-service attack), but also lots of stack and/or memory.

What are the risks and how would you address them?

Would you filter out certain classes of regular expressions?

Tune it via BOOST_REGEX_NON_RECURSIVE and/or other parameters?

Would you forbid it altogether?

Thanks in Advance,
-Jim


Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net