]> git.ipfire.org Git - thirdparty/Python/cpython.git/commit
projects / thirdparty / Python / cpython.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e052d40) | patch
[2.7] closes bpo-32997: Fix REDOS in fpformat (GH-5984)
authorJamie Davis <davisjam@vt.edu>
Tue, 6 Mar 2018 05:59:02 +0000 (00:59 -0500)
committerBenjamin Peterson <benjamin@python.org>
Tue, 6 Mar 2018 05:59:02 +0000 (21:59 -0800)
commit55d5bfba9482d39080f7b9ec3e6257ecd23f264f
treefe770dee608b13e72312faab4e96780891a77fb3tree | snapshot
parente052d40cea15f582b50947f7d906b39744dc62a2commit | diff
[2.7] closes bpo-32997: Fix REDOS in fpformat (GH-5984)

The regex to decode a number in fpformat is susceptible to catastrophic backtracking. This is a potential DOS vector if a server is using fpformat on untrusted number strings.

Replace it with an equivalent non-vulnerable regex. The match behavior of the new regex is slightly different. It captures the whole integer part of the number in one group, Leading zeros are stripped off later.
Lib/fpformat.py diff | blob | blame | history
Lib/test/test_fpformat.py diff | blob | blame | history
Misc/NEWS.d/next/Security/2018-03-05-10-14-42.bpo-32997.hp2s8n.rst [new file with mode: 0644] blob
Mirror of https://github.com/python/cpython.git