[issue41712] REDoS in purge

2020-11-14 Thread Yash Shete
Change by Yash Shete : -- pull_requests: +22179 pull_request: https://github.com/python/cpython/pull/23287 ___ Python tracker ___

[issue41712] REDoS in purge

2020-11-09 Thread Steve Dower
Steve Dower added the comment: Thanks Yash for the fix! -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___

[issue41712] REDoS in purge

2020-11-09 Thread Steve Dower
Steve Dower added the comment: New changeset 1f73c320e2921605c4963e202f6bdac1ef18f2ce by Yash Shete in branch 'master': bpo-41712: Avoid runaway regex match in upload scripts (GH-23166) https://github.com/python/cpython/commit/1f73c320e2921605c4963e202f6bdac1ef18f2ce --

[issue41712] REDoS in purge

2020-11-07 Thread Yash Shete
Change by Yash Shete : -- pull_requests: +22094 pull_request: https://github.com/python/cpython/pull/23191 ___ Python tracker ___

[issue41712] REDoS in purge

2020-11-05 Thread Yash Shete
Change by Yash Shete : -- keywords: +patch pull_requests: +22078 stage: needs patch -> patch review pull_request: https://github.com/python/cpython/pull/23166 ___ Python tracker

[issue41712] REDoS in purge

2020-11-05 Thread Yash Shete
Yash Shete added the comment: Vulnerable regex conditions are removed bpo-41712: Removal of Vulnerable regex conditions Using suggestion ""For example, you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+"" and converted to ([A-za-z_]+\d+) which should Fix the issue of vulnerable

[issue41712] REDoS in purge

2020-11-05 Thread Yash Shete
Change by Yash Shete : Removed file: https://bugs.python.org/file49571/purge.py ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue41712] REDoS in purge

2020-11-05 Thread Yash Shete
Yash Shete added the comment: converted regex from \w+\d+ to ([A-Za-z_]*\d)+ as asked. you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+ and is working fine -- nosy: +Pixmew Added file: https://bugs.python.org/file49571/purge.py ___ Python

[issue41712] REDoS in purge

2020-09-04 Thread Steve Dower
Steve Dower added the comment: I've considered DoSing myself a few times, but then change my mind and just publish the release :) A PR to change it to "(\d+\.\d+\.\d+)([a-zA-Z]+\d+)?$" would be fine, but is not urgent. It certainly doesn't need to be backported, as this is only ever used

[issue41712] REDoS in purge

2020-09-04 Thread Zachary Ware
Zachary Ware added the comment: Does it matter? This is not a library, it is a script used occasionally by a release manager, called manually, and the only input to the regex is provided via a command-line argument in that manual call. I don't think Steve plans to REDoS himself :)

[issue41712] REDoS in purge

2020-09-04 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: Thank you for your report yeting li. The pattern modification looks good to me. Do you mind to create a pull request? -- keywords: +easy nosy: +serhiy.storchaka stage: -> needs patch versions: +Python 3.8, Python 3.9

[issue41712] REDoS in purge

2020-09-04 Thread yeting li
New submission from yeting li : I find this regex "(\d+\.\d+\.\d+)(\w+\d+)?$" may be stucked by input. The vulnerable regex is located in https://github.com/python/cpython/blob/54a66ade2067c373d31003ad260e1b7d14c81564/Tools/msi/purge.py#L15 The ReDOS vulnerability of the regex is mainly due to