44 lines
1.4 KiB
Diff
44 lines
1.4 KiB
Diff
From 43a9c9bfa6aa626ec2a22540bea28d2ca77964be Mon Sep 17 00:00:00 2001
|
|
From: "Jason R. Coombs" <jaraco@jaraco.com>
|
|
Date: Fri, 4 Nov 2022 13:47:53 -0400
|
|
Subject: [PATCH] Limit the amount of whitespace to search/backtrack.Fixes
|
|
#3659.
|
|
|
|
---
|
|
setuptools/package_index.py | 2 +-
|
|
setuptools/tests/test_packageindex.py | 8 ++++++++
|
|
2 files changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
|
|
index 270e7f3..e93fcc6 100644
|
|
--- a/setuptools/package_index.py
|
|
+++ b/setuptools/package_index.py
|
|
@@ -197,7 +197,7 @@ def unique_values(func):
|
|
return wrapper
|
|
|
|
|
|
-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
|
|
+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
|
|
# this line is here to fix emacs' cruddy broken syntax highlighting
|
|
|
|
|
|
diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
|
|
index 8e9435e..fc544c0 100644
|
|
--- a/setuptools/tests/test_packageindex.py
|
|
+++ b/setuptools/tests/test_packageindex.py
|
|
@@ -308,3 +308,11 @@ class TestPyPIConfig:
|
|
cred = cfg.creds_by_repository['https://pypi.org']
|
|
assert cred.username == 'jaraco'
|
|
assert cred.password == 'pity%'
|
|
+
|
|
+
|
|
+@pytest.mark.timeout(1)
|
|
+def test_REL_DoS():
|
|
+ """
|
|
+ REL should not hang on a contrived attack string.
|
|
+ """
|
|
+ setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)
|
|
--
|
|
2.27.0
|
|
|