Autor: Zoltán Herczeg Data: Dla: pcre-dev Temat: [pcre-dev] Security risk or not? Changing PCRE options from
patterns.
Hi,
Pcre has a nice feature, that you can change options by passing special control strings. E.g: /(*UTF8)a/ makes the pattern an UTF8 pattern. I am sure most people are not aware of this feature. Its side effect can be used for denial service attacks, since the valid UTF checks are not affected by recursion limit checks. So the pattern above can slow down a web service, which runs patterns on an ascii input where the input buffer is huge. My problem is, that these flag changes cannot be prevented by software, and I think most developers are unaware of it (since this is just an extension). I know it is useful in certain cases, but I feel it may be exploited by harmful software.
I have not any solution for this issue at the moment, I am just curious what do you think? Is this a real risk or not?