New submission from yeting li <l...@ios.ac.cn>: I find this regex "(\d+\.\d+\.\d+)(\w+\d+)?$" may be stucked by input. The vulnerable regex is located in https://github.com/python/cpython/blob/54a66ade2067c373d31003ad260e1b7d14c81564/Tools/msi/purge.py#L15
The ReDOS vulnerability of the regex is mainly due to the sub-pattern \w+\d+ and can be exploited with the following string "1.1.1"+"1" * 5000 + "!" I think you can limit the input length or fix this regex. For example, you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+ Looking forward for your response! Best, Yeting Li ---------- components: Library (Lib) files: purge.py messages: 376343 nosy: yetingli priority: normal severity: normal status: open title: REDoS in purge type: security versions: Python 3.10 Added file: https://bugs.python.org/file49443/purge.py _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue41712> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
