[issue41715] REDoS in c_analyzer

2020-09-17 Thread Serhiy Storchaka 


Change by Serhiy Storchaka :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41715] REDoS in c_analyzer

2020-09-17 Thread Serhiy Storchaka 


Serhiy Storchaka  added the comment:


New changeset dcfaa520c4638a67052a4ff4a2a820be68750ad7 by Serhiy Storchaka in 
branch 'master':
bpo-41715: Fix potential catastrofic backtracking in c_analyzer. (GH-22091)
https://github.com/python/cpython/commit/dcfaa520c4638a67052a4ff4a2a820be68750ad7


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41715] REDoS in c_analyzer

2020-09-04 Thread Serhiy Storchaka 


Change by Serhiy Storchaka :


--
keywords: +patch
pull_requests: +21178
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/22091

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41715] REDoS in c_analyzer

2020-09-04 Thread yeting li 


yeting li  added the comment:

I'm sorry there was a typo just now.


replace _\w*[a-zA-Z]\w* with (_\d*)+([a-zA-Z]([_\d])*)+

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41715] REDoS in c_analyzer

2020-09-04 Thread yeting li 


yeting li  added the comment:

You can use the dk.brics.automaton library to verify whether two regexes are 
equivalent.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41715] REDoS in c_analyzer

2020-09-04 Thread yeting li 


yeting li  added the comment:

I think we can replace \w*[a-zA-Z]\w* with (_\d*)+([a-zA-Z]([_\d])*)+

This is an equivalent fix and the fixed regex is safe.

Does that sound right to you?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41715] REDoS in c_analyzer

2020-09-04 Thread Serhiy Storchaka 


Serhiy Storchaka  added the comment:

I would use

   NAME_RE = re.compile(r'(?![_\d]+\Z)(?!\d)\w+', re.ASCII)

or

   NAME_RE = re.compile(r'(?=.*[A-Za-z])(?!\d)\w+', re.ASCII)

and NAME_RE.fullmatch() instead of NAME_RE.match().

But why identifiers not containing letters are disabled at first place? Is _123 
an invalid identifier in C?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41715] REDoS in c_analyzer

2020-09-04 Thread Serhiy Storchaka 


Change by Serhiy Storchaka :


--
nosy: +eric.snow, serhiy.storchaka

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41715] REDoS in c_analyzer

2020-09-04 Thread yeting li 


Change by yeting li :


--
components: +Library (Lib)
type:  -> security
versions: +Python 3.10

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41715] REDoS in c_analyzer

2020-09-04 Thread yeting li 


Change by yeting li :


--
title: REDoS inc_analyzer -> REDoS in c_analyzer

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com