This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: REDoS in purge
Type: behavior Stage: resolved
Components: Installation, Windows Versions: Python 3.10
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Pixmew, paul.moore, serhiy.storchaka, steve.dower, tim.golden, yetingli, zach.ware
Priority: normal Keywords: easy, patch

Created on 2020-09-04 09:47 by yetingli, last changed 2022-04-11 14:59 by admin. This issue is now closed.

File name Uploaded Description Edit yetingli, 2020-09-04 09:47 Pixmew, 2020-11-05 15:26
Pull Requests
URL Status Linked Edit
PR 23166 merged Pixmew, 2020-11-05 15:48
PR 23191 closed Pixmew, 2020-11-07 15:20
PR 23287 closed Pixmew, 2020-11-14 17:38
Messages (8)
msg376343 - (view) Author: yeting li (yetingli) * Date: 2020-09-04 09:47
I  find this regex "(\d+\.\d+\.\d+)(\w+\d+)?$" may be stucked by input.
The vulnerable regex is located in

The ReDOS vulnerability of the regex is mainly due to the sub-pattern \w+\d+
and can be exploited with the following string
"1.1.1"+"1" * 5000 + "!"

I think you can limit the input length or fix this regex.

For example, you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+

Looking forward for your response​!

Yeting Li
msg376356 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2020-09-04 11:14
Thank you for your report yeting li. The pattern modification looks good to me. Do you mind to create a pull request?
msg376377 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2020-09-04 15:43
Does it matter?  This is not a library, it is a script used occasionally by a release manager, called manually, and the only input to the regex is provided via a command-line argument in that manual call.  I don't think Steve plans to REDoS himself :)
msg376385 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-09-04 16:30
I've considered DoSing myself a few times, but then change my mind and just publish the release :)

A PR to change it to "(\d+\.\d+\.\d+)([a-zA-Z]+\d+)?$" would be fine, but is not urgent. It certainly doesn't need to be backported, as this is only ever used from master these days.

Personally I'd be just as happy closing the issue. I know that the current script works, and there's nothing worse than breaking a release because someone has changed the release scripts without testing them properly.
msg380411 - (view) Author: Yash Shete (Pixmew) * Date: 2020-11-05 15:01
converted regex from \w+\d+ to ([A-Za-z_]*\d)+
as asked.
you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+
and is working fine
msg380413 - (view) Author: Yash Shete (Pixmew) * Date: 2020-11-05 15:26
Vulnerable regex conditions are removed

bpo-41712: Removal of Vulnerable regex conditions  
Using suggestion  ""For example, you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+""  and converted to ([A-za-z_]+\d+)
which should Fix the issue of vulnerable regex.
Test Result : Working as intended

Sorry if this not much this is my first pr to big org
msg380601 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-11-09 17:38
New changeset 1f73c320e2921605c4963e202f6bdac1ef18f2ce by Yash Shete in branch 'master':
bpo-41712: Avoid runaway regex match in upload scripts (GH-23166)
msg380610 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-11-09 19:14
Thanks Yash for the fix!
Date User Action Args
2022-04-11 14:59:35adminsetgithub: 85878
2020-11-14 17:38:53Pixmewsetpull_requests: + pull_request22179
2020-11-09 19:14:23steve.dowersetstatus: open -> closed
resolution: fixed
messages: + msg380610

stage: patch review -> resolved
2020-11-09 17:38:17steve.dowersetmessages: + msg380601
2020-11-07 15:20:10Pixmewsetpull_requests: + pull_request22094
2020-11-05 15:48:14Pixmewsetkeywords: + patch
stage: needs patch -> patch review
pull_requests: + pull_request22078
2020-11-05 15:26:11Pixmewsetfiles: +

messages: + msg380413
2020-11-05 15:03:53Pixmewsetfiles: -
2020-11-05 15:01:13Pixmewsetfiles: +
nosy: + Pixmew
messages: + msg380411

2020-09-04 16:30:12steve.dowersetmessages: + msg376385
versions: - Python 3.8, Python 3.9
2020-09-04 15:43:43zach.waresetnosy: + paul.moore, tim.golden, zach.ware, steve.dower
messages: + msg376377

components: + Installation, Windows, - Library (Lib)
type: security -> behavior
2020-09-04 11:14:42serhiy.storchakasetversions: + Python 3.8, Python 3.9
nosy: + serhiy.storchaka

messages: + msg376356

keywords: + easy
stage: needs patch
2020-09-04 09:47:22yetinglicreate