使用用户的RegEx是否安全?
[英]Is it safe to use user's RegEx?
问题描述
I want to add a feature to my website to let users search the texts with RegEx . 
我想在我的网站上添加一项功能,让用户使用RegEx搜索文本。 But, is it safe to let the users do something like that ? 但是,让用户做这样的事情是否安全?
preg_match('/' . $user_input_regex . '/', $subject);
2 个解决方案
解决方案1
12 已采纳 2014-07-19 14:57:20
There is a possible attack on this code called a ReDoS attack (Regular expression Denial of Service). 此代码可能存在攻击,称为ReDoS攻击 (正则表达式拒绝服务)。
The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size).
Specifically with preg_match there is a known issue that can cause a PHP Segmentation Fault. 特别是使用preg_match存在一个已知的问题 ,可能导致PHP分段错误。
So the answer is no, it is not safe because of issues such as these. 所以答案是否定的,因为这些问题不安全。
解决方案2
4 2014-07-19 14:05:27
Security wise you should never trust user input, so it depends what you do with the input. 安全方面,您永远不应该信任用户输入,因此它取决于您对输入的处理方式。 In your given case you should at least escape the used delimiter (backslash) in the user input to ensure the regex works. 在您给定的情况下,您应该至少转义用户输入中使用的分隔符(反斜杠)以确保正则表达式正常工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.