]> git.ipfire.org Git - thirdparty/moment.git/commitdiff
projects / thirdparty / moment.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 328d51e)
[bugfix] Fix for ReDOS vulnerability (see #4163) (#4326)
authorcrackmigg <migg@migg.net>
Wed, 29 Nov 2017 15:36:21 +0000 (16:36 +0100)
committerKunal Marwaha <marwahaha@berkeley.edu>
Wed, 29 Nov 2017 15:36:21 +0000 (10:36 -0500)
* Limiting regex match to 256 chars, fixing #4163

* Limiting regex match to 256 chars, fixing #4163

* Also limiting numbers to fix #4163

min/moment-with-locales.js patch | blob | blame | history
moment.js patch | blob | blame | history
src/lib/parse/regex.js patch | blob | blame | history

diff --git a/min/moment-with-locales.js b/min/moment-with-locales.js
index 5a3c3dbb4b5e554174867aa380796fda94339fdf..f5a2a8bff82d8cd006928b950992d3211a40b0fb 100644 (file)
--- a/min/moment-with-locales.js
+++ b/min/moment-with-locales.js
@@ -653,7 +653,7 @@ var matchTimestamp = /[+-]?\d+(\.\d{1,3})?/; // 123456789 123456789.123
 
 // any word (or two) characters or numbers including two/three word month in arabic.
 // includes scottish gaelic two word and hyphenated months
-var matchWord = /[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i;
+var matchWord = /[0-9]{0,256}['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i;
 
 
 var regexes = {};
diff --git a/moment.js b/moment.js
index f806995fbe3598a3eecdc65f980f6c194bfca32f..6feb4964dba2d75517c6b96594553a83abe417ac 100644 (file)
--- a/moment.js
+++ b/moment.js
@@ -659,7 +659,7 @@ var matchTimestamp = /[+-]?\d+(\.\d{1,3})?/; // 123456789 123456789.123
 
 // any word (or two) characters or numbers including two/three word month in arabic.
 // includes scottish gaelic two word and hyphenated months
-var matchWord = /[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i;
+var matchWord = /[0-9]{0,256}['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i;
 
 
 var regexes = {};
diff --git a/src/lib/parse/regex.js b/src/lib/parse/regex.js
index b1dc7529e5c7e2e182191f382217c62da6b16aa8..5076548ed239b5a4aab76f4184657c76e878e5b4 100644 (file)
--- a/src/lib/parse/regex.js
+++ b/src/lib/parse/regex.js
@@ -20,7 +20,7 @@ export var matchTimestamp = /[+-]?\d+(\.\d{1,3})?/; // 123456789 123456789.123
 
 // any word (or two) characters or numbers including two/three word month in arabic.
 // includes scottish gaelic two word and hyphenated months
-export var matchWord = /[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i;
+export var matchWord = /[0-9]{0,256}['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i;
 
 
 import hasOwnProp from '../utils/has-own-prop';
Mirror of https://github.com/moment/moment.git