[Owasp-leaders] Question on Regex

Jeff Williams jeff.williams at owasp.org
Wed Oct 14 14:30:50 EDT 2009


Is this a performance question or a security question? I suggest some actual
performance testing over conjecture, since I believe Java already does some
caching of Patterns.  The Java reference implementation of ESAPI doesn't
work exactly the way you suggest.  Instead, it does lazy compilation when a
pattern gets used, and then caches the result in the SecurityConfiguration
pattern cache to make sure patterns aren't compiled unnecessarily.

 

--Jeff

 

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of McGovern, James
F. (eBusiness)
Sent: Wednesday, October 14, 2009 11:44 AM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] Question on Regex

 

Having a debate with some developers and I wanted to understand if there was
any security perspectives that have merit when it comes to using Regex. So,
I noted that ESAPI for example, has a single properties file where regex
compilation happens in each validation action and not via uber-singleton
upfront compilation. Is this developer religion? 

************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091014/23b02cff/attachment.html 


More information about the OWASP-Leaders mailing list