From 6c17cfae46efc6ff71bb58c8d1c87b86fdb3c668 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
Date: Thu, 20 Oct 2022 17:13:23 +0300
Subject: [PATCH 1/2] Fixed potential DoS attack via WHEEL_INFO_RE

---
 src/wheel/wheelfile.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py
index 3ee97dd..3c3d9f5 100644
--- a/src/wheel/wheelfile.py
+++ b/src/wheel/wheelfile.py
@@ -16,8 +16,8 @@ from wheel.util import urlsafe_b64decode, as_unicode, native, urlsafe_b64encode,
 # Non-greedy matching of an optional build number may be too clever (more
 # invalid wheel filenames will match). Separate regex for .dist-info?
 WHEEL_INFO_RE = re.compile(
-    r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))?
-     -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""",
+    r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
+     -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
     re.VERBOSE)
 
 
-- 
2.39.2


From 22dcf5ec8f17771117f512b48d46c92a95f2d109 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
Date: Sat, 5 Nov 2022 01:17:22 +0200
Subject: [PATCH 2/2] Fixed parsing of wheel file names with multiple platform
 tags

Fixes #485.
---
 src/wheel/wheelfile.py  |  4 ++--
 tests/test_wheelfile.py | 13 ++++++++++---
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py
index 3c3d9f5..bce7ab3 100644
--- a/src/wheel/wheelfile.py
+++ b/src/wheel/wheelfile.py
@@ -16,8 +16,8 @@ from wheel.util import urlsafe_b64decode, as_unicode, native, urlsafe_b64encode,
 # Non-greedy matching of an optional build number may be too clever (more
 # invalid wheel filenames will match). Separate regex for .dist-info?
 WHEEL_INFO_RE = re.compile(
-    r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
-     -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
+    r"""^(?P<namever>(?P<name>[^\s-]+?)-(?P<ver>[^\s-]+?))(-(?P<build>\d[^\s-]*))?
+     -(?P<pyver>[^\s-]+?)-(?P<abi>[^\s-]+?)-(?P<plat>\S+)\.whl$""",
     re.VERBOSE)
 
 
diff --git a/tests/test_wheelfile.py b/tests/test_wheelfile.py
index db11bcd..69225f8 100644
--- a/tests/test_wheelfile.py
+++ b/tests/test_wheelfile.py
@@ -16,9 +16,16 @@ def wheel_path(tmpdir):
     return str(tmpdir.join('test-1.0-py2.py3-none-any.whl'))
 
 
-def test_wheelfile_re(tmpdir):
-    # Regression test for #208
-    path = tmpdir.join('foo-2-py3-none-any.whl')
+@pytest.mark.parametrize(
+    "filename",
+    [
+        "foo-2-py3-none-any.whl",
+        "foo-2-py2.py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl",
+    ],
+)
+def test_wheelfile_re(filename, tmpdir):
+    # Regression test for #208 and #485
+    path = tmpdir.join(filename)
     with WheelFile(str(path), 'w') as wf:
         assert wf.parsed_filename.group('namever') == 'foo-2'
 
-- 
2.39.2