OpenEuphoria

Re: 4.0a3 - Two Regular Expression Libraries? -- We need your input!

• Posted by jeremy (admin) Mar 16, 2009
• 1249 views

That's fine, but understand, the code base of PCRE is 22,416 lines of C code, the C code base of Euphoria itself is 27.241. So, PCRE is almost as much C code as Euphoria is! There is no way that the Euphoria devs are going to venture into the PCRE code, fix and submit a patch. Well, maybe "no way" is strong, but I highly, highly doubt it.

Now, about not understanding exploits. Buffer overruns are huge. This past year, there has been three patches that I know of by the debian group to stop a buffer overrun that causes the caller to be able to execute programs on the host computer. They are all very tricky. I'm not a hacker, so I do not understand it that well, but people have been able to execute a program on your computer through exploits in PCRE. For instance:

sequence name = prompt_string("Enter your name: ") 
r:regex validNameRx = r:new("[A-Z][a-z]+") 
if r:match(validNameRx, name) then 
    puts(1, "You have a valid name!\n") 
end if 

That program above, people have been able to execute commands on your computer though.

Now, don't be too afraid because buffer overruns are everywhere in about any program you have ever used. For instance, Firefox? IE? Microsoft Excel? Linux Kernel? Mutt email client? etc... It just gives you an idea of how an exploit could take place. Also, do not take that as a certain NO for PCRE, as there may be exploits in eFTE's regex library that have not been found, because it has not been targeted. Further, there may be exploits in Euphoria's C base that have not been found because it has not been targeted. I am not saying there is, but I am saying it is possible in anything.

BTW... I am with you on code size, w/in reason. 170k in todays world is an extra 1/2 second of download. It means nothing on a disk.

Jeremy