> > A regex that's vulnerable to pathological behavior is a DoS attack waiting > to happen. Especially when used for parsing log data (which might contain > untrusted data). If possible, we should make it harder for people to shoot > themselves in the feet. >
While definitely not as bad and not as likely as SQL injection, I think the possibility of regex DoS is totally missing in the stdlib re docs. Should there be something added there about if you need to put user input into an expression, best practice is to re.escape it?
_______________________________________________ Python-ideas mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/ODUC75DKJTFWSD227S7S2W6HVUV5JCZ5/ Code of Conduct: http://python.org/psf/codeofconduct/
