ansaurus

Question

Answer 1

+7 A:

You might get an error if the regular expression has an invalid syntax or it might consume a exponential amount of time and space when processed if a so-called pathological regular expression is tested on some particular string.

Gumbo 2009-05-15 08:04:33

Yep, agree with the patholigical issue - I would consider this wide open to a denial of service attack for this reason.

Steve Haigh 2009-05-15 08:05:43

I'd run the regexp in a thread with a specific timeout to avoid DoS (if relevant, because if the user DoSs his own computer, I don't much care)

Vinko Vrsalovic 2009-05-15 08:15:16

This is a client side Forms app so if they want to DoS themselves more power to them...

Unkwntech 2009-05-15 08:51:59

OK, so I'd mistakenly assumed it was some sort of public facing API, but even so it's not helpful to your users to let them run a regex that kills their machine, I think you still need to consider how to handle this case for a good user experience.

Steve Haigh 2009-05-15 09:05:16

Agreed, I'll find a good way to work around that, but I just wanted to make sure there was nothing major that I was aware of.

Unkwntech 2009-05-15 19:29:21

Answer 2

A:

User input is always evil. What do you mean with "safe". Can it contain errors that will make your code throw an exception or fail in some other way? Yes, it certainly can, so you should be prepared for that of course.

Fredrik Mörk 2009-05-15 08:06:02

ansaurus

tags:

views:

answers:

Is RegEx from user input safe?

related questions