IETF Logo Mail Archive

Re: Complexity of :matches ?

Michael Haardt <michael@freenet-ag.de> Tue, 12 July 2005 09:44 UTC

Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j6C9iPsE041628; Tue, 12 Jul 2005 02:44:25 -0700 (PDT) (envelope-from owner-ietf-mta-filters@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j6C9iPsr041627; Tue, 12 Jul 2005 02:44:25 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-mta-filters@mail.imc.org using -f
Received: from mout1.freenet.de (mout1.freenet.de [194.97.50.132]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j6C9iOAu041610 for <ietf-mta-filters@imc.org>; Tue, 12 Jul 2005 02:44:25 -0700 (PDT) (envelope-from michael@freenet-ag.de)
Received: from [194.97.55.148] (helo=mx5.freenet.de) by mout1.freenet.de with esmtpa (Exim 4.52) id 1DsHJL-0006cI-7q for ietf-mta-filters@imc.org; Tue, 12 Jul 2005 11:44:19 +0200
Received: from nostromo.freenet-ag.de ([194.97.7.6]) by mx5.freenet.de with esmtps (TLSv1:AES256-SHA:256) (Exim 4.52 #3) id 1DsHJL-0006qu-6K for ietf-mta-filters@imc.org; Tue, 12 Jul 2005 11:44:19 +0200
Received: from michael by nostromo.freenet-ag.de with local (ID michael) (Exim 4.52 #5) id 1DsHJJ-0003hi-Se for ietf-mta-filters@imc.org; Tue, 12 Jul 2005 11:44:17 +0200
To: ietf-mta-filters@imc.org
Subject: Re: Complexity of :matches ?
Message-Id: <E1DsHJJ-0003hi-Se@nostromo.freenet-ag.de>
From: Michael Haardt <michael@freenet-ag.de>
Date: Tue, 12 Jul 2005 11:44:17 +0200
Sender: owner-ietf-mta-filters@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-mta-filters/mail-archive/>
List-ID: <ietf-mta-filters.imc.org>
List-Unsubscribe: <mailto:ietf-mta-filters-request@imc.org?body=unsubscribe>

> The algorithm I used was just essentially this.
> - ? can be handled trivially.
> - if the pattern doesn't begin with *
>    - handle that leader
> - find the next string between stars
>    - search for string between the stars
>    - search returns a location of that substring
>    - no match -> return false
>    - we have a match; from now on, search only
>      from the location of that match forward
> - if the pattern doesn't end with *
>    - handle that trailer

Just forget my previous mail.  Here we go, an algorithm without
backtracking/NFA.

Now that I see it, the fundamental difference to regexps is obvious:
Regexps can contain looping patterns, and wildcard patterns can not,
thus allowing to replace backtracking by string search.  Pretty cool,
Tim, and thanks for opening my eyes!

> I think that this implements right-to-left greedy matching, that is,
> completely ungreedy matching.  If you wanted greedy matching, you might
> be able to get it by doing the search backwards.  I'm real sure that I
> can't prove this.

It does sound reasonable, though.  A backward search will match the
shortest possible pattern right to a string, starting at the last one,
leaving the longest possible one left to it.  Since that applies to all
strings, indeed you get greedy matching that way. (Unless I write crap
again. ;-)

I am unsure how to proceed on documenting something in the security
considerations.  Tim showed that there is no risk really, if you do
things right.  I showed how tempting a naive approach is.  Ned was sure
that his code was not to be breaken easily, but didn't want to exclude
that there might be a pathological case for sure.

It feels silly to document that done wrong, there is a security risk.
Then again, it is not easy to see that it is possible to avoid exponential
complexity even for the worst case, and how.  Future implementations
might work unsafe, if we don't document something.

Michael

v2.30.2 | Report a Bug | By Email | System Status