Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
正規表現再入門/introduction-to-regex
Search
shin1x1
November 03, 2016
Programming
6
13k
正規表現再入門/introduction-to-regex
2016/11/03 PHPカンファレンス2016
shin1x1
November 03, 2016
Tweet
Share
More Decks by shin1x1
See All by shin1x1
抽象化という思考のツール - 開発現場での活用 - / Abstraction-as-a-Tool-for-Thinking-in-dev
shin1x1
0
100
抽象化という思考のツール - 理解と活用 - / Abstraction-as-a-Tool-for-Thinking
shin1x1
1
1.1k
php-fpm がリクエスト処理する仕組みを追う / Tracing-How-php-fpm-Handles-Requests
shin1x1
6
3.6k
PHP ユーザのための OpenTelemetry 入門 / phpcon2024-opentelemetry
shin1x1
3
2.2k
PHPコードの実行モデルを理解する / Understanding-the-PHP-Execution-Model
shin1x1
2
2.8k
制約の力 - 状態を限定する -
shin1x1
6
5.4k
Apple Silicon Mac 時代の PHP 開発環境構築 2021 / php-dev-env-on-m1-mac-era
shin1x1
2
4.8k
Docker イメージのマルチアーキテクチャビルド / docker-muti-arch-build
shin1x1
1
510
Domain modeling with PHP / domain-modeling-with-php-en
shin1x1
1
290
Other Decks in Programming
See All in Programming
Conquering Massive Traffic Spikes in Ruby Applications with Pitchfork
riseshia
0
140
Playwrightはどのようにクロスブラウザをサポートしているのか
yotahada3
7
2.2k
階層構造を表現するデータ構造とリファクタリング 〜1年で10倍成長したプロダクトの変化と課題〜
yuhisatoxxx
3
830
Back to the Future: Let me tell you about the ACP protocol
terhechte
0
120
Server Less Code More - コードを書かない時代に生きるサーバーレスデザイン / server-less-code-more
gawa
5
1.9k
Current States of Java Web Frameworks at JCConf 2025
kishida
0
520
Reactをクライアントで使わない
yusukebe
7
6.3k
Local Peer-to-Peer APIはどのように使われていくのか?
hal_spidernight
2
410
Web フロントエンドエンジニアに開かれる AI Agent プロダクト開発 - Vercel AI SDK を観察して AI Agent と仲良くなろう! #FEC余熱NIGHT
izumin5210
2
290
実践AIチャットボットUI実装入門
syumai
7
2.4k
詳しくない分野でのVibe Codingで困ったことと学び/vibe-coding-in-unfamiliar-area
shibayu36
1
580
uniqueパッケージの内部実装を支えるweak pointerの話
magavel
0
840
Featured
See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
127
17k
Scaling GitHub
holman
463
140k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Side Projects
sachag
455
43k
Code Reviewing Like a Champion
maltzj
525
40k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
The Invisible Side of Design
smashingmag
301
51k
Java REST API Framework Comparison - PWX 2021
mraible
33
8.8k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Being A Developer After 40
akosma
90
590k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
36
2.5k
Producing Creativity
orderedlist
PRO
347
40k
Transcript
ɹ!shin1x1 2016//03 PHPΧϯϑΝϨϯε ਖ਼نදݱ࠶ೖ
ৄࡉਖ਼نදݱ ਖ਼نදݱٕज़ೖ
D .BTBTIJ4IJOCBSB!TIJOY "HFOEB w1)1ͷਖ਼نදݱ wϚονϯά wόοΫτϥοΫ w3F%P4
1)1ͷਖ਼نදݱ
1)1ͷਖ਼نදݱ D .BTBTIJ4IJOCBSB!TIJOY w1$3& QSFHܥ w104*9ਖ਼نදݱ FSFHܥʢ1)1ͰඇਪɺͰഇࢭʣ wَं NC@FSFHܥ
1)1ͷਖ਼نදݱ D .BTBTIJ4IJOCBSB!TIJOY w1$3& QSFHܥ w104*9ਖ਼نදݱ FSFHܥʢ1)1ͰඇਪɺͰഇࢭʣ wَं NC@FSFHܥ
ਖ਼نදݱͷओͳར༻༻్ D .BTBTIJ4IJOCBSB!TIJOY wจࣈྻ͕Ϛον͢Δ͔Ͳ͏͔ͷผ wจࣈྻ͔ΒϚονͨ͠Օॴͷऔಘ wจࣈྻͷϚονͨ͠ՕॴΛஔ wϚονͨ͠ՕॴͰจࣈྻΛׂ
ਖ਼نදݱͷओͳར༻༻్ D .BTBTIJ4IJOCBSB!TIJOY wϚον͢Δ͔Ͳ͏͔ͷผ wϚονͨ͠Օॴͷऔಘ QSFH@NBUDI QSFH@NBUDI@BMM QSFH@HSFQ wϚονͨ͠Օॴͷஔ
QSFH@SFQMBDF QSFH@pMUFS wϚονͨ͠ՕॴͰจࣈྻΛׂ QSFH@TQMJU
Ϛονϯά
Ϛονϯάͷಛ D .BTBTIJ4IJOCBSB!TIJOY wਖ਼نදݱؤுΓ w࠷ॳʹϚονͨ͠ͷ͕༏ઌ wඪ४ͷྔࢦఆࢠཉுΓʢHSFFEZʣ
Ϛονϯάͷಛ D .BTBTIJ4IJOCBSB!TIJOY wਖ਼نදݱؤுΓ w࠷ॳʹϚονͨ͠ͷ͕༏ઌ wඪ४ͷྔࢦఆࢠཉுΓʢHSFFEZʣ ࠷࠷ࠨϚονϯά
ਖ਼نදݱؤுΓ D .BTBTIJ4IJOCBSB!TIJOY wϚον͢Δ·ͰऔΓಘΔશͯͷύλʔϯΛࢼߦ Ϛον͢Εऴྃ wऔΓಘΔશͯͷύλʔϯ͕Ϛον͠ͳ͍ Ϛονࣦഊ wϚονࣦഊͷ߹ɺॲཧྔ͕େʹͳΔՄೳੑ
B aE
B aE aE ΛͰϚον
B aE ͱBϚον͠ͳ͍
B aE aE ΛͰϚον όοΫτϥοΫ
B aE ͱϚον͠ͳ͍
B aE จࣈྻΛਐΊͯ aE ΛͰϚον
B aE ͱBϚον͠ͳ͍
B aE จࣈྻΛਐΊΔͱ aE ͕Ϛον͢Δͷ͕ແ͍ Ϛονࣦഊ
࠷ॳʹϚονͨ͠ͷ͕༏ઌ D .BTBTIJ4IJOCBSB!TIJOY wจࣈྻͰ࠷ࠨʹ͋ΔϚον͕༏ઌ ʢ࠷ॳʹϚονͨ͠Օॴʣ wਖ਼نදݱʢબʣͷฒͼͰͳ͍
1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO ?1FO Ϛον͢Δ
1FO1JOFBQQMF"QQMF1FO 1FO 1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO 1FO จࣈྻͷࠨଆͰϚονͨ͠ͷ͕༏ઌ ʢ্ͷύλʔϯͰऴྃʣ 1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO "QQMFc1FO
1FO1JOFBQQMF"QQMF1FO "QQMFc1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO "QQMFc1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO จࣈྻͷࠨଆͰϚονͨ͠ͷ͕༏ઌ
ඪ४ͷྔࢦఆࢠཉுΓ D .BTBTIJ4IJOCBSB!TIJOY wඪ४ͷྔࢦఆࢠɺ࠷ʹϚον wσϑΥϧτͰ࠷େྔࢦఆࢠͱͯ͠ಈ͘
ྔࢦఆࢠ D .BTBTIJ4IJOCBSB!TIJOY wલͷύλʔϯͷ܁Γฦ͠Λࣔ͢ w ɺ ɺ ɺ\O N^ wB
ͳΒʮBʯʮBBCʯʮDBBBBCʯͳͲʹϚον
1FO1JOFBQQMF"QQMF1FO 1 O ճҎ্
1FO1JOFBQQMF"QQMF1FO 1 O 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO 1 O ඪ४ͷྔࢦఆࢠ࠷ͰϚον
1FO1JOFBQQMF"QQMF1FO 1 O ճҎ্
1FO1JOFBQQMF"QQMF1FO 1 O ͘͠ճ 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO 1 O ͘͠ճ 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO
1\ ^O ճҎ্ճҎԼ 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO
1\ ^O 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO 1FO1JOFBQQMF"QQMF1FO ճҎ্ճҎԼ
ྔࢦఆࢠͷϚονϯάύλʔϯ D .BTBTIJ4IJOCBSB!TIJOY w࠷େྔࢦఆࢠʢσϑΥϧτʣ w࠷খྔࢦఆࢠ wઈର࠷େྔࢦఆࢠ
࠷େྔࢦఆࢠ D .BTBTIJ4IJOCBSB!TIJOY wྔࢦఆࢠσϑΥϧτͷಈ͖ w \O N^ w࠷ʹϚονɺཉுΓͳϚον
࠷খྔࢦఆࢠ D .BTBTIJ4IJOCBSB!TIJOY wྔࢦఆࢠʹ Λ͚ͯࢦఆ w ɺ ɺ ɺ\O N^
w࠷খͷϚονɺ߇͑ΊͳϚον
1FO1JOFBQQMF"QQMF1FO 1 O ࠷ͰϚον
1FO1JOFBQQMF"QQMF1FO 1 O ࠷ͰϚον
GPPBOECBS GPPΛϚον͍ͨ͠
࠷େྔࢦఆࢠ GPPBOECBS
<?> Ҏ֎ͷ܁Γฦ͠ GPPBOECBS
࠷খྔࢦఆࢠ GPPBOECBS
࠷େྔࢦఆࢠͱ࠷খྔࢦఆࢠ D .BTBTIJ4IJOCBSB!TIJOY w࠷େྔࢦఆࢠ࠷Ұக͔Βࢼߦ͍ͯ͘͠ w࠷খྔࢦఆࢠ࠷Ұக͔Βࢼߦ͍ͯ͘͠ wϚον͠ͳ͍߹ͲͪΒಉ͡ࢼߦΛߦ͏
ઈର࠷େྔࢦఆࢠ D .BTBTIJ4IJOCBSB!TIJOY wྔࢦఆࢠʹ Λ͚ͯࢦఆ w ɺ ɺ ɺ\O N^
wڧཉͳϚονɺఘΊͳ͍Ϛον
1FO1JOFBQQMF"QQMF1FO 1 O Ϛονࣦഊ
όοΫτϥοΫ
όοΫτϥοΫ D .BTBTIJ4IJOCBSB!TIJOY wϚον͕ࣦഊͨ͠߹ʹ લͷਖ਼نදݱʹΓɺผͷϚονΛߦ͏ wਖ਼͍͠ղΛಘΔ·ͰՄೳͳΈ߹ΘͤΛ ޮతʹࢼ͍ͯ͘͠ https://ja.wikipedia.org/wiki/όοΫτϥοΩϯά
1FO1JOFBQQMF"QQMF1FO 1 O Ϛον͢Δ
1FO1JOFBQQMF"QQMF1FO 1 O Ϛον͢Δ
1FO1JOFBQQMF"QQMF1FO 1 O OͱߦͳͷͰ Ϛον͠ͳ͍
1FO1JOFBQQMF"QQMF1FO 1 O จࣈͯ͘͠Ϛον όοΫτϥοΫ
1FO1JOFBQQMF"QQMF1FO 1 O Ϛονޭ
1FO1JOFBQQMF"QQMF1FO 1 O Ϛον͢Δ
1FO1JOFBQQMF"QQMF1FO 1 O Ϛον͢Δ Ϛονͨ͠ൣғΛΞτϛοΫʹѻ͏
1FO1JOFBQQMF"QQMF1FO 1 O OͱߦͳͷͰ Ϛον͠ͳ͍
1FO1JOFBQQMF"QQMF1FO 1 O ͰϚονͨ͠Օॴͷ࠶୳ࠪߦΘͣɺ ਖ਼نදݱΛ1͔ΒϚον͢͠
1FO1JOFBQQMF"QQMF1FO 1 O Ϛον͢Δ Ϛονͨ͠ൣғΛΞτϛοΫʹѻ͏
1FO1JOFBQQMF"QQMF1FO 1 O OͱߦͳͷͰ Ϛον͠ͳ͍
1FO1JOFBQQMF"QQMF1FO 1 O ͰϚονͨ͠Օॴͷ࠶୳ࠪߦΘͣɺ ਖ਼نදݱΛ1͔ΒϚον͢͠
1FO1JOFBQQMF"QQMF1FO 1 O Ϛον͢Δ Ϛονͨ͠ൣғΛΞτϛοΫʹѻ͏
1FO1JOFBQQMF"QQMF1FO 1 O OͱߦͳͷͰ Ϛον͠ͳ͍
1FO1JOFBQQMF"QQMF1FO 1 O Ϛονࣦഊ
ઈର࠷େྔࢦఆࢠ D .BTBTIJ4IJOCBSB!TIJOY wҰϚονϯάͨ͠ൣғΛΞτϛοΫʹѻ͍ɺ όοΫτϥοΫͰख์͞ͳ͍ wΞτϛοΫάϧʔϓͰಉ༷ͷޮՌ Ͱಉ༷ͷޮՌ wόοΫτϥοΫൃੜΛ͑Δ
SFHVMBSFYQSFTTJPOT D .BTBTIJ4IJOCBSB!TIJOY https://regex101.com/
None
όοΫτϥοΫʹΑΔ %P4
http://stackstatus.net/post/147710624694/outage-postmortem-july-20-2016
w4UBDL0WFSqPXͰؒΞΫηεෆೳ wจࣈྻલޙͷۭനΛআ͢Δਖ਼نදݱ w?<aTaVD> c<aTaVD> w ͷۭന ඌۭനҎ֎
ݕূ D .BTBTIJ4IJOCBSB!TIJOY wQSFH@SFQMBDF 1)1 w୯७Խͯ͠ɺaT ͱaT Ͱݕূ w/ݸͷۭന
`B`ʹରͯ͠ॲཧ
/TQBDFT B 1)1 1)1 NT NT NT
NT NT NT NT NT QSFH@SFQMBDF aT
/TQBDFT B 1)1 1)1 NT NT NT
NT NT NT NT aT ൺ NT aT ൺ QSFH@SFQMBDF aT
ରԠࡦ D .BTBTIJ4IJOCBSB!TIJOY wઈର࠷େྔࢦఆࢠͰόοΫτϥοΫΛ੍ wจࣈྻΛόϦσʔγϣϯͰ੍ݶ wਖ਼نදݱΛΘͳ͍ 4UBDL0WFSqPXͰͷରԠ จࣈྻؔͰஔ͑
3F%P4
3F%P4 D .BTBTIJ4IJOCBSB!TIJOY wਖ਼نදݱΛѱ༻ͨ͠%P4 w͔Βఏى͞Ε͍ͯͨ wϚον͠ͳ͍ύλʔϯͰ߈ܸ https://www.checkmarx.com/wp-content/uploads/2015/03/ReDoS-Attacks.pdf
https://www.checkmarx.com/wp-content/uploads/2015/03/ReDoS-Attacks.pdf
&WJM3FHFY1BUUFSOT D .BTBTIJ4IJOCBSB!TIJOY w B w <B[";> w
BcBB w BcB w B \Y^cGPSY
BBBBBBBBBBBBBBBBBBB9 B
TUFQT ࢀߟ յ໓తͳόοΫτϥοΫ B BBBBBBBBBBBBBBBBBBB9
&WJM3FHFY1BUUFSOT D .BTBTIJ4IJOCBSB!TIJOY wΘ͔ͣจࣈͷจࣈྻͰ Έ߹Θͤരൃ͕ى͜Δ wྔࢦఆࢠͷೖΕࢠɺબͱྔࢦఆࢠͷೖΕࢠ
1)1Ͱ࣮ߦ D .BTBTIJ4IJOCBSB!TIJOY preg_match('/(a+)+$/', 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaX'); 1)1 1)1 QSFH@NBUDI NT NT
͍ʂʂʂ
όοΫτϥοΫ੍ݶ D .BTBTIJ4IJOCBSB!TIJOY wઃఆʹΑΔόοΫτϥοΫ੍ݶ QDSFCBDLUSBDL@MJNJUʢσϑΥϧτ ʣ w্ݶʹୡ͢ΔͱΤϥʔͰऴྃ wQSFH@NBUDI ͷΓ͕GBMTF
ΤϥʔΛࣔ͢ wQSFH@MBTU@FSSPS ͰΤϥʔίʔυऔಘ
1)1Ͱ࣮ߦ D .BTBTIJ4IJOCBSB!TIJOY <?php preg_match('/(a+)+$/', 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaX', $m); $error =
preg_last_error(); if ($error === PREG_BACKTRACK_LIMIT_ERROR) { echo 'backtrack limit error', PHP_EOL; } else if ($error > 0) { echo 'other error', PHP_EOL; } $ php redos.php backtrack limit error
1)1Ͱ࣮ߦʢ੍ݶ֎͠ʣ D .BTBTIJ4IJOCBSB!TIJOY ini_set('pcre.backtrack_limit', 10000000000); preg_match('/(a+)+$/', 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaX'); 1)1 1)1 QSFH@NBUDI
NT NT ͕͔͔࣌ؒΔ
$47ͷύʔε D .BTBTIJ4IJOCBSB!TIJOY wਖ਼نදݱͰ࣮ w1P$ͳ$47Λύʔε͢Δͱ 4FHNFOUBUJPO'BVMUʢ1)1ʣ wHPPECZDTWͰॻ͖ͯ͠ରԠ
·ͱΊ
·ͱΊ D .BTBTIJ4IJOCBSB!TIJOY wϚονϯάͷྲྀΕ wύϑΥʔϚϯεͷӨڹ wਖ਼نදݱΛ͋͑ͯΘͳ͍બࢶ
ࢀߟ D .BTBTIJ4IJOCBSB!TIJOY w4UBDL&YDIBOHF͕߈ܸ͞Εͨ3F%P4ͷޮՌcZPIHBLJTCMPH IUUQTCMPHPIHBLJOFUTUBDLFYDIBOHFSFEPTBUUBDL w3F%P4ͷճආcZPIHBLJTCMPH IUUQTCMPHPIHBLJOFUBWPJEJOHSFEPT
D .BTBTIJ4IJOCBSB!TIJOY !TIJOY !TIJOY D .BTBTIJ4IJOCBSB!TIJOY