Hacker News new | ask | show | jobs
by nkozyra 1806 days ago
> A regex "denial of service" "vulnerability" could be important, if it shows up in code that processes untrusted input from end users.

But in this context what's the end result? Chrome locking up on the end user's (attacker's) machine? Again, an "attacker" doesn't have access to the source code for distribution. By inputting bad regexp data they're only DOSin themselves, no?
2 comments
esens 1806 days ago
Could be in a service on a server, which in this case a RegEx DOS could lock the server for all users.
link
JonathonW 1806 days ago
Or if a JS frontend takes in input that comes from other users-- something like forum post titles or content.

That's "just" a browser freeze for end users, but still a potential DOS vulnerability if it's in the application's critical path.

link
nkozyra 1806 days ago
Right, but that's why I wrote "context," and seems to be the primary complaint in this article.
link
Avamander 1806 days ago
StackOverflow and Cloudflare have both self-DoSed themselves with such flaws, causing downtime.
link