On 2/28/2011 6:28 AM, Jim Bell wrote:
Say you wanted to give web users a boost::regex interface to a set of data, knowing that some will try to use it for mischief and malice. I'm vaguely aware that one can write a regex to consume lots of CPU (denial-of-service attack), but also lots of stack and/or memory.
What are the risks and how would you address them?
Would you filter out certain classes of regular expressions?
Tune it via BOOST_REGEX_NON_RECURSIVE and/or other parameters?
Would you forbid it altogether?
John can correct me if I'm wrong, but I believe boost.regex throws an exception if too many states are visited during pattern matching. That keeps it from spinning off into infinity. I don't know if this is tunable. Xpressive has no such feature. It has a recursive implementation and -- on MSVC -- fixes up the stack on overflow and throws an exception. On other platform, yeah, DoS. :-( -- Eric Niebler BoostPro Computing http://www.boostpro.com