Boost logo

Boost Users :

Subject: Re: [Boost-users] [regex] Mitigating mischief and malice
From: Eric Niebler (eric_at_[hidden])
Date: 2011-02-27 23:33:08


On 2/28/2011 6:28 AM, Jim Bell wrote:
>
> Say you wanted to give web users a boost::regex interface to a set of
> data, knowing that some will try to use it for mischief and malice. I'm
> vaguely aware that one can write a regex to consume lots of CPU
> (denial-of-service attack), but also lots of stack and/or memory.
>
> What are the risks and how would you address them?
>
> Would you filter out certain classes of regular expressions?
>
> Tune it via BOOST_REGEX_NON_RECURSIVE and/or other parameters?
>
> Would you forbid it altogether?

John can correct me if I'm wrong, but I believe boost.regex throws an
exception if too many states are visited during pattern matching. That
keeps it from spinning off into infinity. I don't know if this is tunable.

Xpressive has no such feature. It has a recursive implementation and --
on MSVC -- fixes up the stack on overflow and throws an exception. On
other platform, yeah, DoS. :-(

-- 
Eric Niebler
BoostPro Computing
http://www.boostpro.com

Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net