python-setuptools/SOURCES/CVE-2022-40897.patch

29 lines
1.0 KiB
Diff
Raw Normal View History

diff --git a/setuptools/package_index.py b/setuptools/package_index.py
index 123e958..a90b810 100644
--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
@@ -215,7 +215,7 @@ def unique_values(func):
return wrapper
-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
# this line is here to fix emacs' cruddy broken syntax highlighting
diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
index 8e9435e..bc1e373 100644
--- a/setuptools/tests/test_packageindex.py
+++ b/setuptools/tests/test_packageindex.py
@@ -308,3 +308,10 @@ class TestPyPIConfig:
cred = cfg.creds_by_repository['https://pypi.org']
assert cred.username == 'jaraco'
assert cred.password == 'pity%'
+
+@pytest.mark.timeout(1)
+def test_REL_DoS():
+ """
+ REL should not hang on a contrived attack string.
+ """
+ setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)