[ih] SIP and ENUM
Steffen Nurpmeso
steffen at sdaoden.eu
Wed Jul 8 14:29:54 PDT 2020
John Levine via Internet-history wrote in
<20200708211442.CC5EE1C6DB84 at ary.qy>:
|In article <7498b3fd-cc55-2de3-3c56-2c89e430289e at cavebear.com> you write:
|>As for Enum - that has always scared me. I am made nervous by the
|>notion that DNS clients would evaluate j-random regular expressions
|>found in NAPTR records. That strikes me not much different than the
|>security problems we have had with web browsers evaluating random
|>Javascript fed to them by websites.
|
|I don't understand this concern. Even the most complicated regex is
|only a pattern that either matches or doesn't, with well understood
|mathematical properties. It doesn't have loops or subroutines, and
|since we have fifty years of experience with regex matching, we know
|how to handle them efficiently.
|
|It's certainly easy enough to write a regex that is wrong, but not one
|that is dangerous.
We have had a lot of quality of service regex security
adversories. The last i remember affected some FTP servers, at
least. As a workaround they now count occurrences of * and limit
that (to 3 the most).
|R's,
|John
|
|PS: If you haven't kept up with the literature, current regex matchers
|generally don't complle them into 7094 machine code any more.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
More information about the Internet-history
mailing list