[Python-ideas] Updated PEP 428 (pathlib)
MRAB
python at mrabarnett.plus.com
Thu Mar 7 12:50:31 CET 2013
On 07/03/2013 03:23, Devin Jeanpierre wrote:
> On Wed, Mar 6, 2013 at 6:25 PM, MRAB <python at mrabarnett.plus.com> wrote:
>> You _can_ have catastrophic backtracking without capture groups. You've
>> already seen an example in ".*a.*".
>>
>> It gets worse when you can have repeated repeats, for example "(?:.*)*".
>>
>> The difference with fnmatch is that you don't care _where_ various
>> parts match (there are no capture groups), only _whether_ it matches,
>> and then only whether or not _all_ of it matches.
>
> We seem to be talking past each other. I already know all this. I am
> asking you to justify your claim that if glob was based on regex,
> instead of re, it would be free of DOS attacks.
>
> Because of your confusion, I expect you didn't really mean to claim
> that. I inferred it because when you were asked for an approach that
> would solve DOS attacks against glob, you replied by saying that you
> wrote a regex module that is more resistant to such things. I
> apologize if I misunderstood.
>
I didn't say that it should be based on regex. What I meant was that it
didn't seem that difficult compared to the regex module.
That module is more resistant to catastrophic backtracking and some of
its tricks could be used for the much simpler fnmatch to make a new
implementation of _that_ more resistant to the problem. I'm currently
thinking about the details.
More information about the Python-ideas
mailing list