Message 376343 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	yetingli
Recipients	yetingli
Date	2020-09-04.09:47:22
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1599212842.75.0.630288607393.issue41712@roundup.psfhosted.org>
In-reply-to

Content
I find this regex "(\d+\.\d+\.\d+)(\w+\d+)?$" may be stucked by input. The vulnerable regex is located in https://github.com/python/cpython/blob/54a66ade2067c373d31003ad260e1b7d14c81564/Tools/msi/purge.py#L15 The ReDOS vulnerability of the regex is mainly due to the sub-pattern \w+\d+ and can be exploited with the following string "1.1.1"+"1" * 5000 + "!" I think you can limit the input length or fix this regex. For example, you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+ Looking forward for your response! Best, Yeting Li

I  find this regex "(\d+\.\d+\.\d+)(\w+\d+)?$" may be stucked by input.
The vulnerable regex is located in
https://github.com/python/cpython/blob/54a66ade2067c373d31003ad260e1b7d14c81564/Tools/msi/purge.py#L15

The ReDOS vulnerability of the regex is mainly due to the sub-pattern \w+\d+
and can be exploited with the following string
"1.1.1"+"1" * 5000 + "!"


I think you can limit the input length or fix this regex.

For example, you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+

Looking forward for your response!

Best,
Yeting Li

History
Date	User	Action	Args
2020-09-04 09:47:22	yetingli	set	recipients: + yetingli
2020-09-04 09:47:22	yetingli	set	messageid: <1599212842.75.0.630288607393.issue41712@roundup.psfhosted.org>
2020-09-04 09:47:22	yetingli	link	issue41712 messages
2020-09-04 09:47:22	yetingli	create