Re: [pcre-dev] Security risk or not? Changing PCRE options f…

Top Page
Delete this message
Author: Christian Persch
Date:  
To: pcre-dev
Subject: Re: [pcre-dev] Security risk or not? Changing PCRE options from patterns.
Hi;

Am Mon, 1 Oct 2012 17:25:32 +0100 (BST)
schrieb Philip Hazel <ph10@???>:
> The complete list of options that can be changed within a pattern is:
>
>   (?i)            caseless                    
>   (?J)            allow duplicate names
>   (?m)            multiline                                  
>   (?s)            single line (dotall)  
>   (?U)            default ungreedy (lazy)  
>   (?x)            extended (ignore white space)

>
>   (*UTF)          PCRE_UTF8/16
>   (*UCP)          PCRE_UCP
>   (*NO_START_OPT) PCRE_NO_START_OPTIMIZE
>   (*CR)           )
>   (*LF)           )
>   (*CRLF)         ) select newline style
>   (*ANY)          )
>   (*ANYCRLF)      )
>   (*BSR_ANYCRLF)  \R matches any of CR, LF, CRLF
>   (*BSR_UNICODE)  \R matches any Unicode newline

>
> The (*...) ones were added because users who could not alter their
> application's code wanted access to the options.
>
> If people are worried about this, we could provide a facility to
> compile PCRE with the (*...) features disabled. Alternatively, we
> could provide pcre_compile() and/or pcre_exec() options to disable
> them.


Are any of the other ones dangerous? Afaict not. So limiting
this new compile or runtime option's effect to (*UTF8) would be enough.


Regards,
    Christian