New submission from yeting li <l...@ios.ac.cn>: Hi,
I find this regex "^([a-zA-Z]|_\w*[a-zA-Z]\w*|[a-zA-Z]\w*)$" may be stucked by input. The vulnerable regex is located in https://github.com/python/cpython/blob/54a66ade2067c373d31003ad260e1b7d14c81564/Tools/c-analyzer/c_analyzer/common/info.py#L12 The ReDOS vulnerability of the regex is mainly due to the sub-pattern \w*[a-zA-Z]\w* and can be exploited with the following string "_" + "a" * 5000 + "!" I think you can limit the input length or fix this regex. Looking forward for your response! Best, Yeting Li ---------- files: info.py messages: 376355 nosy: yetingli priority: normal severity: normal status: open title: REDoS inc_analyzer Added file: https://bugs.python.org/file49445/info.py _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue41715> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
