[langsec-discuss] CVEs from inappropriate use of regular expressions

Frithjof Schulze fs at ciphron.de
Mon Nov 27 23:01:46 UTC 2017


Hi all,

is anybody aware of some recent CVEs that are the direct result of the attempt to parse a non-regular grammar with regular expressions? I expected to find something like this on cve.mitre.org/find, but didn’t. I expected at least a case where regex were used to do „input sanitization“ but found nothing good.

Why am I looking for such a CVE? When talking about LangSec-ideas with (mostly web) developers I regularly have the problem that I either have to explain a lot of theory (that few people are really interested in) or have to go „thou shall not ….“ to argue against „but this is easy and works in practice!“.

The best solution for me so far is similar to the approach suggested in the "Seven Turrents of Babel“: Show people examples of the bugs they are up against if they use certain antipatterns. I am now compiling a list of educational and „realistic“ bugs in the sense, that the most more popular bugs like string terminators in X.509/ASN.1, Heartbleed and the Android Master Key are great examples for LangSec in general, but are not the kind of bugs many developers have to actually deal with.

Most people I am talking to actually know that they „shouldn’t“ use regex to do certain things, because of the Lovecraftian post on Stack Overflow[1], but that post also just repeatedly mentions the impossibility of a suggested solution without giving any examples of negative consequences of trying.

[1|  https://stackoverflow.com/a/1732454

Cheers,
Frithjof


More information about the langsec-discuss mailing list