[New-bugs-announce] [issue41712] REDoS in purge
yeting li
report at bugs.python.org
Fri Sep 4 05:47:22 EDT 2020
New submission from yeting li <liyt at ios.ac.cn>:
I find this regex "(\d+\.\d+\.\d+)(\w+\d+)?$" may be stucked by input.
The vulnerable regex is located in
https://github.com/python/cpython/blob/54a66ade2067c373d31003ad260e1b7d14c81564/Tools/msi/purge.py#L15
The ReDOS vulnerability of the regex is mainly due to the sub-pattern \w+\d+
and can be exploited with the following string
"1.1.1"+"1" * 5000 + "!"
I think you can limit the input length or fix this regex.
For example, you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+
Looking forward for your response!
Best,
Yeting Li
----------
components: Library (Lib)
files: purge.py
messages: 376343
nosy: yetingli
priority: normal
severity: normal
status: open
title: REDoS in purge
type: security
versions: Python 3.10
Added file: https://bugs.python.org/file49443/purge.py
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue41712>
_______________________________________
More information about the New-bugs-announce
mailing list