Boost logo

Boost Users :

Subject: Re: [Boost-users] [regex] Mitigating mischief and malice
From: Jim Bell (Jim_at_[hidden])
Date: 2011-02-28 12:25:02


On 1:59 PM, John Maddock wrote:
>> Say you wanted to give web users a boost::regex interface to a set of
>> data, knowing that some will try to use it for mischief and malice. I'm
>> vaguely aware that one can write a regex to consume lots of CPU
>> (denial-of-service attack), but also lots of stack and/or memory.
>
> Boost.Regex has two protections against that:
>
> * When BOOST_REGEX_NON_RECURSIVE is defined (the default for all
> current compilers) then memory usage is strictly limited. This can be
> configured in boost/regex/user.hpp since the maximum amount of memory
> used is BOOST_REGEX_MAX_BLOCKS*BOOST_REGEX_BLOCKSIZE, which defaults
> to 4Mb in total.
> * The total number of machine states visited (and hence CPU time
> consumed) is controlled by perl_matcher::estimate_max_state_count, the
> macro BOOST_REGEX_MAX_STATE_COUNT sets an upper limit on the number of
> states visited.

Thanks, John and Eric.

So if one deliberately sets the values BOOST_REGEX_MAX_BLOCKS,
BOOST_REGEX_BLOCKSIZE, and BOOST_REGEX_MAX_STATE_COUNT, and catches the
exceptions thrown, it ought to be ok?

And, by the way, the exceptions thrown would be std::bad_alloc,
std::runtime_error, or boost::regex_error (from the regex FAQ). Does
that cover them? (I know a catch (...) wouldn't hurt...)

I don't want to be the guy who brings CERT around.


Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net