[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Need an XPath expression which returns all xs:patt
> But like others I also wonder whether correctly recognizing such regexes actually achieves the underlying intended (but unstated) purpose. If the goal is to prevent an accidental or intentional DOS (Denial of Service) attack, we do have examples how this is successfully achieved in other cases/platforms. For example, in .NET, a Regex object has a MatchTimeout property, which, when set, causes an exception to be raised if the processing of the Regex.Match operation exceeds the value of this property: https://learn.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.r egex.matchtimeout?view=net-8.0 And there are examples of documented Regex timeout values specified into the standard .NET classes and methods - for example, Regex processing of URL arguments is limited by 100ms timeouts. In ver. 4 of XPath and beyond, we could also introduce a timeout parameter, serving the same purpose. Yes, I know that our current processing models don't handle the progress of time during expression-evaluation, but it would be worth considering such a change. As one small first step, we could add such a timeout to the myriads of options that are possible to provide to fn:transform. And in addition to this, if we introduce concurrency, then it would be useful to be able to cancel a currently on-going evaluation. Just thinking loud. Thanks, Dimitre On Thu, Apr 4, 2024 at 8:40b/AM Michael Kay michaelkay90@xxxxxxxxx < xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> wrote: > >Is this even possible, theoretically speaking? > > i wondered that myself. > > I think it's correct to say that a regex can't match an unbounded number > of characters unless it contains one of the quantifiers indicated. So the > question is whether these quantifiers can be detected reliably using a > regular expression applied to the regular expression. It's certainly tricky > to distinguish true quantifiers from strings that look like quantifiers but > are escaped with backslashes or square brackets, but I suspect it is > possible. > > But like others I also wonder whether correctly recognizing such regexes > actually achieves the underlying intended (but unstated) purpose. > > Michael Kay > Saxonica
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|