undefined | Better HN

0 pointsnkozyra4y ago0 comments

> A regex "denial of service" "vulnerability" could be important, if it shows up in code that processes untrusted input from end users.

But in this context what's the end result? Chrome locking up on the end user's (attacker's) machine? Again, an "attacker" doesn't have access to the source code for distribution. By inputting bad regexp data they're only DOSin themselves, no?

0 comments

esens4y ago

Could be in a service on a server, which in this case a RegEx DOS could lock the server for all users.

JonathonW4y ago

Or if a JS frontend takes in input that comes from other users-- something like forum post titles or content.

That's "just" a browser freeze for end users, but still a potential DOS vulnerability if it's in the application's critical path.

nkozyraOP4y ago

Right, but that's why I wrote "context," and seems to be the primary complaint in this article.

Avamander4y ago

StackOverflow and Cloudflare have both self-DoSed themselves with such flaws, causing downtime.

j / k navigate · click thread line to collapse