[3.8] bpo-46474: Avoid REDoS in EntryPoint.pattern (sync with importlib_metadata...

author Jason R. Coombs <jaraco@jaraco.com>

Mon, 14 Feb 2022 17:56:03 +0000 (12:56 -0500)

committer GitHub <noreply@github.com>

Mon, 14 Feb 2022 17:56:03 +0000 (18:56 +0100)
author Jason R. Coombs <jaraco@jaraco.com>
Mon, 14 Feb 2022 17:56:03 +0000 (12:56 -0500)
committer GitHub <noreply@github.com>
Mon, 14 Feb 2022 17:56:03 +0000 (18:56 +0100)
diff --git a/Lib/importlib/metadata.py b/Lib/importlib/metadata.py

index 9d2285cb4d46dd0e14538fcbf042aa9d49bcc6f0..c8d533c5c2b320e76e89d001ed47a4c47a7544a0 100644 (file)
--- a/Lib/importlib/metadata.py
+++ b/Lib/importlib/metadata.py
@@ -49,8 +49,8 @@ class EntryPoint(
  
      pattern = re.compile(
          r'(?P<module>[\w.]+)\s*'
-        r'(:\s*(?P<attr>[\w.]+))?\s*'
-        r'(?P<extras>\[.*\])?\s*$'
+        r'(:\s*(?P<attr>[\w.]+)\s*)?'
+        r'((?P<extras>\[.*\])\s*)?$'
          )
      """
      A regular expression describing the syntax for an entry point,
diff --git a/Misc/NEWS.d/next/Library/2022-01-22-14-49-10.bpo-46474.eKQhvx.rst b/Misc/NEWS.d/next/Library/2022-01-22-14-49-10.bpo-46474.eKQhvx.rst

new file mode 100644 (file)

index 0000000..156b7de
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-01-22-14-49-10.bpo-46474.eKQhvx.rst
@@ -0,0 +1,2 @@
+In ``importlib.metadata.EntryPoint.pattern``, avoid potential REDoS by
+limiting ambiguity in consecutive whitespace.
author	Jason R. Coombs <jaraco@jaraco.com>
	Mon, 14 Feb 2022 17:56:03 +0000 (12:56 -0500)
committer	GitHub <noreply@github.com>
	Mon, 14 Feb 2022 17:56:03 +0000 (18:56 +0100)
Lib/importlib/metadata.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Library/2022-01-22-14-49-10.bpo-46474.eKQhvx.rst	[new file with mode: 0644]	patch \| blob