Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
正規表現再入門/introduction-to-regex
Search
shin1x1
November 03, 2016
Programming
5
13k
正規表現再入門/introduction-to-regex
2016/11/03 PHPカンファレンス2016
shin1x1
November 03, 2016
Tweet
Share
More Decks by shin1x1
See All by shin1x1
PHP ユーザのための OpenTelemetry 入門 / phpcon2024-opentelemetry
shin1x1
3
1.8k
PHPコードの実行モデルを理解する / Understanding-the-PHP-Execution-Model
shin1x1
1
2.3k
制約の力 - 状態を限定する -
shin1x1
4
4.7k
Apple Silicon Mac 時代の PHP 開発環境構築 2021 / php-dev-env-on-m1-mac-era
shin1x1
2
4.6k
Docker イメージのマルチアーキテクチャビルド / docker-muti-arch-build
shin1x1
1
470
Domain modeling with PHP / domain-modeling-with-php-en
shin1x1
0
240
ドメインをモデリングしてPHPコードに落とし込む / domain-modeling-with-php8
shin1x1
14
7.1k
PHP 8 で作る JSON パーサ / php8-json-parser
shin1x1
1
3.7k
Kubernetes で構築する PHP 開発環境 / php-development-environment-on-kubernetes
shin1x1
3
4.9k
Other Decks in Programming
See All in Programming
データの整合性を保つ非同期処理アーキテクチャパターン / Async Architecture Patterns
mokuo
55
19k
苦しいTiDBへの移行を乗り越えて快適な運用を目指す
leveragestech
0
1.1k
はじめての Go * WASM * OCR
sgash708
1
110
複数のAWSアカウントから横断で 利用する Lambda Authorizer の作り方
tc3jp
0
120
ABEMA iOS 大規模プロジェクトにおける段階的な技術刷新 / ABEMA iOS Technology Upgrade
akkyie
1
230
Kotlinの開発でも AIをいい感じに使いたい / Making the Most of AI in Kotlin Development
kohii00
5
1.5k
Jakarta EE meets AI
ivargrimstad
0
570
Jakarta EE meets AI
ivargrimstad
0
530
Rails 1.0 のコードで学ぶ find_by* と method_missing の仕組み / Learn how find_by_* and method_missing work in Rails 1.0 code
maimux2x
1
260
機能が複雑化しても 頼りになる FactoryBotの話
tamikof
1
230
Honoのおもしろいミドルウェアをみてみよう
yusukebe
1
240
TCAを用いたAmebaのリアーキテクチャ
dazy
0
210
Featured
See All Featured
Writing Fast Ruby
sferik
628
61k
Building Flexible Design Systems
yeseniaperezcruz
328
38k
Site-Speed That Sticks
csswizardry
4
410
Rails Girls Zürich Keynote
gr2m
94
13k
The Power of CSS Pseudo Elements
geoffreycrofte
75
5.5k
Raft: Consensus for Rubyists
vanstee
137
6.8k
How GitHub (no longer) Works
holman
314
140k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
Faster Mobile Websites
deanohume
306
31k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
Thoughts on Productivity
jonyablonski
69
4.5k
Transcript
ɹ!shin1x1 2016//03 PHPΧϯϑΝϨϯε ਖ਼نදݱ࠶ೖ
ৄࡉਖ਼نදݱ ਖ਼نදݱٕज़ೖ
D .BTBTIJ4IJOCBSB!TIJOY "HFOEB w1)1ͷਖ਼نදݱ wϚονϯά wόοΫτϥοΫ w3F%P4
1)1ͷਖ਼نදݱ
1)1ͷਖ਼نදݱ D .BTBTIJ4IJOCBSB!TIJOY w1$3& QSFHܥ w104*9ਖ਼نදݱ FSFHܥʢ1)1ͰඇਪɺͰഇࢭʣ wَं NC@FSFHܥ
1)1ͷਖ਼نදݱ D .BTBTIJ4IJOCBSB!TIJOY w1$3& QSFHܥ w104*9ਖ਼نදݱ FSFHܥʢ1)1ͰඇਪɺͰഇࢭʣ wَं NC@FSFHܥ
ਖ਼نදݱͷओͳར༻༻్ D .BTBTIJ4IJOCBSB!TIJOY wจࣈྻ͕Ϛον͢Δ͔Ͳ͏͔ͷผ wจࣈྻ͔ΒϚονͨ͠Օॴͷऔಘ wจࣈྻͷϚονͨ͠ՕॴΛஔ wϚονͨ͠ՕॴͰจࣈྻΛׂ
ਖ਼نදݱͷओͳར༻༻్ D .BTBTIJ4IJOCBSB!TIJOY wϚον͢Δ͔Ͳ͏͔ͷผ wϚονͨ͠Օॴͷऔಘ QSFH@NBUDI QSFH@NBUDI@BMM QSFH@HSFQ wϚονͨ͠Օॴͷஔ
QSFH@SFQMBDF QSFH@pMUFS wϚονͨ͠ՕॴͰจࣈྻΛׂ QSFH@TQMJU
Ϛονϯά
Ϛονϯάͷಛ D .BTBTIJ4IJOCBSB!TIJOY wਖ਼نදݱؤுΓ w࠷ॳʹϚονͨ͠ͷ͕༏ઌ wඪ४ͷྔࢦఆࢠཉுΓʢHSFFEZʣ
Ϛονϯάͷಛ D .BTBTIJ4IJOCBSB!TIJOY wਖ਼نදݱؤுΓ w࠷ॳʹϚονͨ͠ͷ͕༏ઌ wඪ४ͷྔࢦఆࢠཉுΓʢHSFFEZʣ ࠷࠷ࠨϚονϯά
ਖ਼نදݱؤுΓ D .BTBTIJ4IJOCBSB!TIJOY wϚον͢Δ·ͰऔΓಘΔશͯͷύλʔϯΛࢼߦ Ϛον͢Εऴྃ wऔΓಘΔશͯͷύλʔϯ͕Ϛον͠ͳ͍ Ϛονࣦഊ wϚονࣦഊͷ߹ɺॲཧྔ͕େʹͳΔՄೳੑ
B aE
B aE aE ΛͰϚον
B aE ͱBϚον͠ͳ͍
B aE aE ΛͰϚον όοΫτϥοΫ
B aE ͱϚον͠ͳ͍
B aE จࣈྻΛਐΊͯ aE ΛͰϚον
B aE ͱBϚον͠ͳ͍
B aE จࣈྻΛਐΊΔͱ aE ͕Ϛον͢Δͷ͕ແ͍ Ϛονࣦഊ
࠷ॳʹϚονͨ͠ͷ͕༏ઌ D .BTBTIJ4IJOCBSB!TIJOY wจࣈྻͰ࠷ࠨʹ͋ΔϚον͕༏ઌ ʢ࠷ॳʹϚονͨ͠Օॴʣ wਖ਼نදݱʢબʣͷฒͼͰͳ͍
1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO ?1FO Ϛον͢Δ
1FO1JOFBQQMF"QQMF1FO 1FO 1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO 1FO จࣈྻͷࠨଆͰϚονͨ͠ͷ͕༏ઌ ʢ্ͷύλʔϯͰऴྃʣ 1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO "QQMFc1FO
1FO1JOFBQQMF"QQMF1FO "QQMFc1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO "QQMFc1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO จࣈྻͷࠨଆͰϚονͨ͠ͷ͕༏ઌ
ඪ४ͷྔࢦఆࢠཉுΓ D .BTBTIJ4IJOCBSB!TIJOY wඪ४ͷྔࢦఆࢠɺ࠷ʹϚον wσϑΥϧτͰ࠷େྔࢦఆࢠͱͯ͠ಈ͘
ྔࢦఆࢠ D .BTBTIJ4IJOCBSB!TIJOY wલͷύλʔϯͷ܁Γฦ͠Λࣔ͢ w ɺ ɺ ɺ\O N^ wB
ͳΒʮBʯʮBBCʯʮDBBBBCʯͳͲʹϚον
1FO1JOFBQQMF"QQMF1FO 1 O ճҎ্
1FO1JOFBQQMF"QQMF1FO 1 O 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO 1 O ඪ४ͷྔࢦఆࢠ࠷ͰϚον
1FO1JOFBQQMF"QQMF1FO 1 O ճҎ্
1FO1JOFBQQMF"QQMF1FO 1 O ͘͠ճ 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO 1 O ͘͠ճ 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO
1\ ^O ճҎ্ճҎԼ 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO
1\ ^O 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO ճҎ্ճҎԼ
ྔࢦఆࢠͷϚονϯάύλʔϯ D .BTBTIJ4IJOCBSB!TIJOY w࠷େྔࢦఆࢠʢσϑΥϧτʣ w࠷খྔࢦఆࢠ wઈର࠷େྔࢦఆࢠ
࠷େྔࢦఆࢠ D .BTBTIJ4IJOCBSB!TIJOY wྔࢦఆࢠσϑΥϧτͷಈ͖ w \O N^ w࠷ʹϚονɺཉுΓͳϚον
࠷খྔࢦఆࢠ D .BTBTIJ4IJOCBSB!TIJOY wྔࢦఆࢠʹ Λ͚ͯࢦఆ w ɺ ɺ ɺ\O N^
w࠷খͷϚονɺ߇͑ΊͳϚον
1FO1JOFBQQMF"QQMF1FO 1 O ࠷ͰϚον
1FO1JOFBQQMF"QQMF1FO 1 O ࠷ͰϚον
GPPBOECBS GPPΛϚον͍ͨ͠
࠷େྔࢦఆࢠ GPPBOECBS
<?> Ҏ֎ͷ܁Γฦ͠ GPPBOECBS
࠷খྔࢦఆࢠ GPPBOECBS
࠷େྔࢦఆࢠͱ࠷খྔࢦఆࢠ D .BTBTIJ4IJOCBSB!TIJOY w࠷େྔࢦఆࢠ࠷Ұக͔Βࢼߦ͍ͯ͘͠ w࠷খྔࢦఆࢠ࠷Ұக͔Βࢼߦ͍ͯ͘͠ wϚον͠ͳ͍߹ͲͪΒಉ͡ࢼߦΛߦ͏
ઈର࠷େྔࢦఆࢠ D .BTBTIJ4IJOCBSB!TIJOY wྔࢦఆࢠʹ Λ͚ͯࢦఆ w ɺ ɺ ɺ\O N^
wڧཉͳϚονɺఘΊͳ͍Ϛον
1FO1JOFBQQMF"QQMF1FO 1 O Ϛονࣦഊ
όοΫτϥοΫ
όοΫτϥοΫ D .BTBTIJ4IJOCBSB!TIJOY wϚον͕ࣦഊͨ͠߹ʹ લͷਖ਼نදݱʹΓɺผͷϚονΛߦ͏ wਖ਼͍͠ղΛಘΔ·ͰՄೳͳΈ߹ΘͤΛ ޮతʹࢼ͍ͯ͘͠ https://ja.wikipedia.org/wiki/όοΫτϥοΩϯά
1FO1JOFBQQMF"QQMF1FO 1 O Ϛον͢Δ
1FO1JOFBQQMF"QQMF1FO 1 O Ϛον͢Δ
1FO1JOFBQQMF"QQMF1FO 1 O OͱߦͳͷͰ Ϛον͠ͳ͍
1FO1JOFBQQMF"QQMF1FO 1 O จࣈͯ͘͠Ϛον όοΫτϥοΫ
1FO1JOFBQQMF"QQMF1FO 1 O Ϛονޭ
1FO1JOFBQQMF"QQMF1FO 1 O Ϛον͢Δ
1FO1JOFBQQMF"QQMF1FO 1 O Ϛον͢Δ Ϛονͨ͠ൣғΛΞτϛοΫʹѻ͏
1FO1JOFBQQMF"QQMF1FO 1 O OͱߦͳͷͰ Ϛον͠ͳ͍
1FO1JOFBQQMF"QQMF1FO 1 O ͰϚονͨ͠Օॴͷ࠶୳ࠪߦΘͣɺ ਖ਼نදݱΛ1͔ΒϚον͢͠
1FO1JOFBQQMF"QQMF1FO 1 O Ϛον͢Δ Ϛονͨ͠ൣғΛΞτϛοΫʹѻ͏
1FO1JOFBQQMF"QQMF1FO 1 O OͱߦͳͷͰ Ϛον͠ͳ͍
1FO1JOFBQQMF"QQMF1FO 1 O ͰϚονͨ͠Օॴͷ࠶୳ࠪߦΘͣɺ ਖ਼نදݱΛ1͔ΒϚον͢͠
1FO1JOFBQQMF"QQMF1FO 1 O Ϛον͢Δ Ϛονͨ͠ൣғΛΞτϛοΫʹѻ͏
1FO1JOFBQQMF"QQMF1FO 1 O OͱߦͳͷͰ Ϛον͠ͳ͍
1FO1JOFBQQMF"QQMF1FO 1 O Ϛονࣦഊ
ઈର࠷େྔࢦఆࢠ D .BTBTIJ4IJOCBSB!TIJOY wҰϚονϯάͨ͠ൣғΛΞτϛοΫʹѻ͍ɺ όοΫτϥοΫͰख์͞ͳ͍ wΞτϛοΫάϧʔϓͰಉ༷ͷޮՌ Ͱಉ༷ͷޮՌ wόοΫτϥοΫൃੜΛ͑Δ
SFHVMBSFYQSFTTJPOT D .BTBTIJ4IJOCBSB!TIJOY https://regex101.com/
None
όοΫτϥοΫʹΑΔ %P4
http://stackstatus.net/post/147710624694/outage-postmortem-july-20-2016
w4UBDL0WFSqPXͰؒΞΫηεෆೳ wจࣈྻલޙͷۭനΛআ͢Δਖ਼نදݱ w?<aTaVD> c<aTaVD> w ͷۭന ඌۭനҎ֎
ݕূ D .BTBTIJ4IJOCBSB!TIJOY wQSFH@SFQMBDF 1)1 w୯७Խͯ͠ɺaT ͱaT Ͱݕূ w/ݸͷۭന
`B`ʹରͯ͠ॲཧ
/TQBDFT B 1)1 1)1 NT NT NT
NT NT NT NT NT QSFH@SFQMBDF aT
/TQBDFT B 1)1 1)1 NT NT NT
NT NT NT NT aT ൺ NT aT ൺ QSFH@SFQMBDF aT
ରԠࡦ D .BTBTIJ4IJOCBSB!TIJOY wઈର࠷େྔࢦఆࢠͰόοΫτϥοΫΛ੍ wจࣈྻΛόϦσʔγϣϯͰ੍ݶ wਖ਼نදݱΛΘͳ͍ 4UBDL0WFSqPXͰͷରԠ จࣈྻؔͰஔ͑
3F%P4
3F%P4 D .BTBTIJ4IJOCBSB!TIJOY wਖ਼نදݱΛѱ༻ͨ͠%P4 w͔Βఏى͞Ε͍ͯͨ wϚον͠ͳ͍ύλʔϯͰ߈ܸ https://www.checkmarx.com/wp-content/uploads/2015/03/ReDoS-Attacks.pdf
https://www.checkmarx.com/wp-content/uploads/2015/03/ReDoS-Attacks.pdf
&WJM3FHFY1BUUFSOT D .BTBTIJ4IJOCBSB!TIJOY w B w <B[";> w
BcBB w BcB w B \Y^cGPSY
BBBBBBBBBBBBBBBBBBB9 B
TUFQT ࢀߟ յ໓తͳόοΫτϥοΫ B BBBBBBBBBBBBBBBBBBB9
&WJM3FHFY1BUUFSOT D .BTBTIJ4IJOCBSB!TIJOY wΘ͔ͣจࣈͷจࣈྻͰ Έ߹Θͤരൃ͕ى͜Δ wྔࢦఆࢠͷೖΕࢠɺબͱྔࢦఆࢠͷೖΕࢠ
1)1Ͱ࣮ߦ D .BTBTIJ4IJOCBSB!TIJOY preg_match('/(a+)+$/', 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaX'); 1)1 1)1 QSFH@NBUDI NT NT
͍ʂʂʂ
όοΫτϥοΫ੍ݶ D .BTBTIJ4IJOCBSB!TIJOY wઃఆʹΑΔόοΫτϥοΫ੍ݶ QDSFCBDLUSBDL@MJNJUʢσϑΥϧτ ʣ w্ݶʹୡ͢ΔͱΤϥʔͰऴྃ wQSFH@NBUDI ͷΓ͕GBMTF
ΤϥʔΛࣔ͢ wQSFH@MBTU@FSSPS ͰΤϥʔίʔυऔಘ
1)1Ͱ࣮ߦ D .BTBTIJ4IJOCBSB!TIJOY <?php preg_match('/(a+)+$/', 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaX', $m); $error =
preg_last_error(); if ($error === PREG_BACKTRACK_LIMIT_ERROR) { echo 'backtrack limit error', PHP_EOL; } else if ($error > 0) { echo 'other error', PHP_EOL; } $ php redos.php backtrack limit error
1)1Ͱ࣮ߦʢ੍ݶ֎͠ʣ D .BTBTIJ4IJOCBSB!TIJOY ini_set('pcre.backtrack_limit', 10000000000); preg_match('/(a+)+$/', 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaX'); 1)1 1)1 QSFH@NBUDI
NT NT ͕͔͔࣌ؒΔ
$47ͷύʔε D .BTBTIJ4IJOCBSB!TIJOY wਖ਼نදݱͰ࣮ w1P$ͳ$47Λύʔε͢Δͱ 4FHNFOUBUJPO'BVMUʢ1)1ʣ wHPPECZDTWͰॻ͖ͯ͠ରԠ
·ͱΊ
·ͱΊ D .BTBTIJ4IJOCBSB!TIJOY wϚονϯάͷྲྀΕ wύϑΥʔϚϯεͷӨڹ wਖ਼نදݱΛ͋͑ͯΘͳ͍બࢶ
ࢀߟ D .BTBTIJ4IJOCBSB!TIJOY w4UBDL&YDIBOHF͕߈ܸ͞Εͨ3F%P4ͷޮՌcZPIHBLJTCMPH IUUQTCMPHPIHBLJOFUTUBDLFYDIBOHFSFEPTBUUBDL w3F%P4ͷճආcZPIHBLJTCMPH IUUQTCMPHPIHBLJOFUBWPJEJOHSFEPT
D .BTBTIJ4IJOCBSB!TIJOY !TIJOY !TIJOY D .BTBTIJ4IJOCBSB!TIJOY