[PATCH 06/10] parser: Use full regexps for delegation rules paths

Johannes Berg johannes at sipsolutions.net
Sat Dec 26 02:59:50 AEDT 2015


On Thu, 2015-12-24 at 14:06 +0000, Finucane, Stephen wrote:
> 
> > Paths are validated by trying to compile it as a regexp using a
> > custom
> > validator.
> > 
> > Signed-off-by: Laurent Pinchart <laurent.pinchart at ideasonboard.com>
> > Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
> 
> Some small nits that I can fix myself. Other than that,
> 
A small comment that may or may not be relevant - but there's a bunch
of things one can do with regexes, from taking a lot of CPU to taking a
lot of memory.

What's the trust model for running regexes? I haven't found it in the
patches easily right now. If it's configured only in the config file it
should be OK, but if any kind of remote user can configure it then it
may need safeguards of some kind?

I'm just thinking of a use case like kernel.org where you don't really
even trust the people who are the typical delegates/admins in patchwork
for a given project, since they are pretty much just random people the
admin doesn't necessarily trust much.

(Or put another way - I'd hate for them to patch out/disable this
feature because of security concerns, since I'd want to use it on
kernel.org, but I'm not sure the admins would want me configuring
arbitrary regexes there)

johannes


More information about the Patchwork mailing list