[ih] SIP and ENUM

Steffen Nurpmeso steffen at sdaoden.eu
Wed Jul 8 14:29:54 PDT 2020

John Levine via Internet-history wrote in
<20200708211442.CC5EE1C6DB84 at ary.qy>:
 |In article <7498b3fd-cc55-2de3-3c56-2c89e430289e at cavebear.com> you write:
 |>As for Enum - that has always scared me.  I am made nervous by the 
 |>notion that DNS clients would evaluate j-random regular expressions 
 |>found in NAPTR records.   That strikes me not much different than the 
 |>security problems we have had with web browsers evaluating random 
 |>Javascript fed to them by websites.
 |I don't understand this concern. Even the most complicated regex is
 |only a pattern that either matches or doesn't, with well understood
 |mathematical properties. It doesn't have loops or subroutines, and
 |since we have fifty years of experience with regex matching, we know
 |how to handle them efficiently.
 |It's certainly easy enough to write a regex that is wrong, but not one
 |that is dangerous.

We have had a lot of quality of service regex security
adversories.  The last i remember affected some FTP servers, at
least.  As a workaround they now count occurrences of * and limit
that (to 3 the most).

 |PS: If you haven't kept up with the literature, current regex matchers
 |generally don't complle them into 7094 machine code any more.

|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the Internet-history mailing list