preg_match denial of service in PHP [closed]

Question

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.

Closed 8 years ago.

I am using a form for a input of regular expression itself and then use this regexp in preg_match, so there we dont need validation(maybe only length) but i hear on google "regular expression denial of service" in different programming languages.

There doesn't seem to mention PHP,
Is it possible in PHP also!?

Also should i be considering using regular expression client-side in java web application since the data to get matched aren't really necessary in server-side!??

Answer 1

First of all, never trust any data from the client-side to be valid. You can't even assume that the data came from your website's form or that the user is using a browser to interact with your site. Thus, you should always do validation on the server-side even if you have some basic validation on the client side (like checking for length).

According to this article PHP is no exception:

http://www.abemiester.com/abemiester/post/RegEx-DOS-attack-Regular-Expressions-Now-you-have-3-problems.aspx

You need to make sure you write your regexes carefully. This article also mentions "Regex Fuzzer" which is a method of finding problematic regexes. The link at the top of the article has more information about that.

Edit: Microsoft has built a program to test for vulnerable regexes. It's available from here: http://www.microsoft.com/en-us/download/details.aspx?id=20095 I haven't tried it myself, but that might help you find any issues with your regex.