Hi Mike, > On 2023-05-15, at 18:40, Mike Ounsworth <Mike.Ounsworth@xxxxxxxxxxx> wrote: > > If you put any sort of paragraph to that effect, then I’ll be happy. Actually, this thread turned into a number of new paragraphs. In PR #27 [1], new text has been added specifically about resource consumption (time and space) based attacks. This text is a bit longer than I wanted because it has to distinguish the two cases I-Regexp specific implementation vs. re-use of existing Regexp implementation, and there is no simple perfect way to handle twisted applications of range-quantifiers. Thanks to Martin Dürst for preparing much of this text in his original comment. PR #26 [2] picks up the comments made by Rob Sayre and generalizes the concerns in a way that is useful in this specification. We now reference STD 63 (RFC 3629), interestingly as an informative reference, as this discusses related issues in more detail than would fit this specification. Thank you for getting this thread started with your comment! Comments on the two PRs will be appreciated. Grüße, Carsten [1]: https://github.com/ietf-wg-jsonpath/iregexp/pull/27 [2]: https://github.com/ietf-wg-jsonpath/iregexp/pull/26 -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
