This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author yetingli
Recipients yetingli
Date 2021-01-30.08:11:46
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>

I find this regex '(?:^|,)[ \t]*([^ \t]+)[ \t]+' may be stucked by input.

The vulnerable regex is located in

The ReDOS vulnerability of the regex is mainly due to the sub-pattern ',([^ \t]+)' and can be exploited with the following string
attack_str = "," * 10000

You can execute to reproduce the ReDos vulnerability.

I am willing to suggest that you replace '(?:^|,)[ \t]*([^ \t]+)[ \t]+' with '(?:^|,)[ \t]*([^ \t,]+)[ \t]+'

Looking forward for your response​!

Yeting Li
Date User Action Args
2021-01-30 08:11:46yetinglisetrecipients: + yetingli
2021-01-30 08:11:46yetinglisetmessageid: <>
2021-01-30 08:11:46yetinglilinkissue43075 messages
2021-01-30 08:11:46yetinglicreate