public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug manual/25974] New: Document regex security posture in manual
@ 2020-05-11 16:06 dpmendenhall at gmail dot com
0 siblings, 0 replies; only message in thread
From: dpmendenhall at gmail dot com @ 2020-05-11 16:06 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=25974
Bug ID: 25974
Summary: Document regex security posture in manual
Product: glibc
Version: 2.27
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: manual
Assignee: unassigned at sourceware dot org
Reporter: dpmendenhall at gmail dot com
CC: mtk.manpages at gmail dot com
Target Milestone: ---
https://sourceware.org/glibc/wiki/Security%20Exceptions states:
"Implementing regular expressions efficiently, in a standard-conforming way,
and without denial-of-service vulnerabilities is very difficult and impossible
for Basic Regular Expressions. Most implementation strategies have issues
dealing with certain classes of patterns.
Consequently, resource exhaustion issues which can be triggered only with
crafted patterns (either during compilation or execution) are not treated as
security bugs."
Fair enough, but it would be helpful for this to be explained and documented in
the manual somewhere. Users may not be aware of the security implications of
regular expressions (like ReDoS attacks).
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-05-11 16:06 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-11 16:06 [Bug manual/25974] New: Document regex security posture in manual dpmendenhall at gmail dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).