Closed glyn closed 1 year ago
I'm not sure how this is a much more viable attack vector than putting in the same string in the query. Of course, we'd need to discuss which parts are controlled by whom here. But, in the end, iregexps are much less attackable than general PCRE or JavaScript regexes, so we are already on the safe side.
On reflection, I think this is a false alarm, as Carsten says it's not worse. Closing.
@timbray wrote on the mailing list:
I think this deserves discussion in an issue.