Re: [pcre-dev] Security risk or not? Changing PCRE options f…

Página Principal
Apagar esta mensagem
Autor: Philip Hazel
Data:  
Para: Christian Persch
CC: pcre-dev
Assunto: Re: [pcre-dev] Security risk or not? Changing PCRE options from patterns.
On Mon, 1 Oct 2012, Christian Persch wrote:

> Are any of the other ones dangerous? Afaict not. So limiting
> this new compile or runtime option's effect to (*UTF8) would be enough.


Of course, any application that is worried about this can itself check
for the text (*UTF8) at the start of any user pattern that it passes on
to PCRE. It could even use PCRE to do the check! To do it properly,
quite a complicated pattern is needed because other settings such as
(*CR) can precede (*UTF8) at the start of a pattern. Something like this
should be quite efficient:

^(?:\(\*\w+\))*?\(\*UTF\d+\)

It only needs to be used if the pattern begins with '(*', so for many
patterns the extra check will be insignificant.

There are only two bits left in the PCRE options definitions (out of
32), and I am rather reluctant to use one of them just for this check.

Philip

--
Philip Hazel