31 lines
1.0 KiB
Diff
31 lines
1.0 KiB
Diff
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
|
|
index b6407be..bdcf4a6 100755
|
|
--- a/setuptools/package_index.py
|
|
+++ b/setuptools/package_index.py
|
|
@@ -212,7 +212,7 @@ def unique_values(func):
|
|
return wrapper
|
|
|
|
|
|
-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
|
|
+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
|
|
# this line is here to fix emacs' cruddy broken syntax highlighting
|
|
|
|
|
|
diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
|
|
index 63b9294..49bd819 100644
|
|
--- a/setuptools/tests/test_packageindex.py
|
|
+++ b/setuptools/tests/test_packageindex.py
|
|
@@ -223,6 +223,12 @@ class TestPackageIndex:
|
|
assert dists[0].version == ''
|
|
assert dists[1].version == vc
|
|
|
|
+ def test_REL_DoS(self):
|
|
+ """
|
|
+ REL should not hang on a contrived attack string.
|
|
+ """
|
|
+ setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)
|
|
+
|
|
|
|
class TestContentCheckers:
|
|
def test_md5(self):
|