|WikiProject Computing / Security||(Rated B-class, Low-importance)|
- That's not very helpful, you know.
But really, this article looks much more like a how-to guide than an encyclopedia article.
- Gabrielkfl (talk) 01:06, 4 March 2011 (UTC)
Point out how some regular expression libraries allow the user to specify a timeout for the evaluation of the regex. For example, The .NET Framework 4.5 has that feature. — Preceding unsigned comment added by 18.104.22.168 (talk) 10:16, 22 March 2012 (UTC)
NFA vs. DFA
This article seems to assume all regex engines are NFA or hybrid NFA/DFA, but pure DFA engines do exists-- and they are not susceptible to this type of attack. Namely, non-GNU awk and non-gnu egrep use pure-DFA engines. --Lucas.Yamanishi (talk) 21:05, 30 March 2013 (UTC)
I think the article name is probably incorrect. “ReDoS” doesn't really seem to have a definition outside of this page, “Catastrophic Backtracking,” while it has fewer total results on a google search, at least seems to unambiguously mean this. PiAndWhippedCream (talk) 19:32, 1 April 2014 (UTC)
Java class name regexp
The regular expression
^(([a-z])+.)+[A-Z]([a-z])+$ is just wrong for Java class names – it matches e.g.
java-lang+String, not just e.g.
java.lang.String. If you correct it to
^(([a-z])+\.)+[A-Z]([a-z])+$, it won't produce any backtracking. (Though it is right, the regexp is still found in the wrong way on the linked page, with a warning linking to this page. I'll try to see how to correct that.) -- Paul Ebermann (talk) 17:22, 23 June 2017 (UTC)