使用用户的RegEx安全吗？ [英] Is it safe to use user's RegEx?

问题描述

我想在我的网站上添加一个功能，以允许用户使用 RegEx 搜索文本。但是，让用户这样做是安全的吗？

I want to add a feature to my website to let users search the texts with RegEx. But, is it safe to let the users do something like that ?

preg_match('/' . $user_input_regex . '/', $subject);

推荐答案

此代码可能受到攻击，称为< a href = https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS rel = noreferrer> ReDoS攻击（正则表达式拒绝服务）。

There is a possible attack on this code called a ReDoS attack (Regular expression Denial of Service).

正则表达式拒绝服务（ReDoS）是一种拒绝服务攻击，它利用了一个事实，即大多数正则表达式实现可能会达到极端情况，从而导致它们运行非常缓慢（与输入大小成指数关系）。然后，攻击者可以使使用正则表达式的程序进入这些极端情况，然后挂起很长时间。

The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.

preg_match 是已知问题，可能导致PHP分段错误。

Specifically with preg_match there is a known issue that can cause a PHP Segmentation Fault.

所以答案是否定的，由于诸如此类的问题，这是不安全的。

So the answer is no, it is not safe because of issues such as these.

这篇关于使用用户的RegEx安全吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！