subject:"\[issue41715\] REDoS in c

[issue41715] REDoS in c_analyzer

2020-09-17 Thread Serhiy Storchaka

Change by Serhiy Storchaka : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___

[issue41715] REDoS in c_analyzer

2020-09-17 Thread Serhiy Storchaka

Serhiy Storchaka added the comment: New changeset dcfaa520c4638a67052a4ff4a2a820be68750ad7 by Serhiy Storchaka in branch 'master': bpo-41715: Fix potential catastrofic backtracking in c_analyzer. (GH-22091) https://github.com/python/cpython/commit/dcfaa520c4638a67052a4ff4a2a820be68750ad7

[issue41715] REDoS in c_analyzer

2020-09-04 Thread Serhiy Storchaka

Change by Serhiy Storchaka : -- keywords: +patch pull_requests: +21178 stage: -> patch review pull_request: https://github.com/python/cpython/pull/22091 ___ Python tracker

[issue41715] REDoS in c_analyzer

2020-09-04 Thread yeting li

yeting li added the comment: I'm sorry there was a typo just now. replace _\w*[a-zA-Z]\w* with (_\d*)+([a-zA-Z]([_\d])*)+ -- ___ Python tracker ___

[issue41715] REDoS in c_analyzer

2020-09-04 Thread yeting li

yeting li added the comment: You can use the dk.brics.automaton library to verify whether two regexes are equivalent. -- ___ Python tracker ___

[issue41715] REDoS in c_analyzer

2020-09-04 Thread yeting li

yeting li added the comment: I think we can replace \w*[a-zA-Z]\w* with (_\d*)+([a-zA-Z]([_\d])*)+ This is an equivalent fix and the fixed regex is safe. Does that sound right to you? -- ___ Python tracker

[issue41715] REDoS in c_analyzer

2020-09-04 Thread Serhiy Storchaka

Serhiy Storchaka added the comment: I would use NAME_RE = re.compile(r'(?![_\d]+\Z)(?!\d)\w+', re.ASCII) or NAME_RE = re.compile(r'(?=.*[A-Za-z])(?!\d)\w+', re.ASCII) and NAME_RE.fullmatch() instead of NAME_RE.match(). But why identifiers not containing letters are disabled at first