This assumes that PCRE doesn't still contain memory corruption flaws, despite no... | Hacker News

Hacker Timesnew | past | comments | ask | show | jobs | submit

		tptacek on Sept 23, 2010 \| parent \| context \| favorite \| on: Security Lessons Learned From The Diaspora Launch This assumes that PCRE doesn't still contain memory corruption flaws, despite not being heavily tested, and being in effect a programming language interpreter. Tavis Ormandy found a couple serious problems a few years ago. I'd just scrub the hell out of strings before passing them to a regex engine.

avar on Sept 23, 2010 | [–]

Even if it does it's a pretty remote possibility that it'll be exploitable if you limit the input to say 100 bytes. Pretty hard to get a Perl or Ruby level program of that size to exploit some memory corruption at the C level.

egmike on Sept 23, 2010 | [–]

Good advice, thanks you two!

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact