Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython2 / 55d5bfba9482d39080f7b9ec3e6257ecd23f264f
commit55d5bfba9482d39080f7b9ec3e6257ecd23f264f[log] [tgz]
authorJamie Davis <davisjam@vt.edu>Tue Mar 06 00:59:02 2018 -0500
committerBenjamin Peterson <benjamin@python.org>Mon Mar 05 21:59:02 2018 -0800
treefe770dee608b13e72312faab4e96780891a77fb3
parente052d40cea15f582b50947f7d906b39744dc62a2 [diff]
[2.7] closes bpo-32997: Fix REDOS in fpformat (GH-5984)

The regex to decode a number in fpformat is susceptible to catastrophic backtracking. This is a potential DOS vector if a server is using fpformat on untrusted number strings.

Replace it with an equivalent non-vulnerable regex. The match behavior of the new regex is slightly different. It captures the whole integer part of the number in one group, Leading zeros are stripped off later.
3 files changed
tree: fe770dee608b13e72312faab4e96780891a77fb3
  1. .github/
  2. Demo/
  3. Doc/
  4. Grammar/
  5. Include/
  6. Lib/
  7. Mac/
  8. Misc/
  9. Modules/
  10. Objects/
  11. Parser/
  12. PC/
  13. PCbuild/
  14. Python/
  15. RISCOS/
  16. Tools/
  17. .bzrignore
  18. .gitattributes
  19. .gitignore
  20. .travis.yml
  21. aclocal.m4
  22. config.guess
  23. config.sub
  24. configure
  25. configure.ac
  26. install-sh
  27. LICENSE
  28. Makefile.pre.in
  29. pyconfig.h.in
  30. README
  31. setup.py