Tolerance to malicious expressions? about muparserx HOT 6 CLOSED

This hasn't been investigated. muparserx will throw std::bad_alloc in case of memory shortages. Its the responsibility of the client code to make sure this does not happen or deal gracefully with it. I can't introduce arbitrary limits to the size of matrices and C++ does not provide a standard complient way to investigate the existing memory size. muparserx is neither aimed at being used in flight control systems nor medical equipment for everything else standard C++ should suffice.

from muparserx.

@beltoforion I cannot agree more. Of course, muparserx can be used in quite important projects and can lead to some serious bugs, but in this kind of software I would not even expect that somebody could perform some kind of security audit just like that. muparserx is not True Crypt.

On the other hand, once serious vulnerabilities are discovered, they should be fixed.

from muparserx.

Trying to allocate a matrix larger than available memory is certainly a nuisance but not nearly as serious as arbitrary code execution via the expression parser. Was such a possibility considered when developing the parser or is its security/insecurity a byproduct of the implementation?

from muparserx.

muparserx can not execute arbitrary code unless you add a function that will execute arbitrary code. muparserx is also not a scripting engine since it is lacking commands for flow control.

from muparserx.

muparserx wasn't designed to execute arbitrary code yes but that doesn't mean it's not possible, unless proper steps have been taken to prevent those kinds of attacks. I think here's an example of a vulnerability report for a different parser: http://www.cvedetails.com/cve/CVE-2008-3196/

I'll assume that people haven't looked into muparserx from this perspective. Thanks.

from muparserx.

I really don't see the potential for such an attack. The syntax checks are very strict. The input must be a mathematical expression everything else is rejected immediately. identifiers must conform to predefined character sets and those sets dont allow characters that might be used for malicious purposes. I can however give no guarantees, i can only guarantee to close every hole that is reported.

from muparserx.