Control: found -1 2.6-7+deb6u2 Control: found -1 2.6-10+deb7u2 On Mon, Jan 06, 2014 at 11:00:45AM +1100, Vincent McIntyre wrote: > I have 2.6-10 running on a few squeeze hosts here and applied the patch that > should fix #692229. I think there is a problem with one aspect of that > change - > > - FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>.*) for > (?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from > (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") > + FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>\S*) for > (?P<invalid>invalid user |illegal user )?(?P<user>.*) from > (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") > > The issue is the $ after the IP address matching - this fails on my syslog > files which have lines like: > Jan 5 21:01:15 venice sshd[12491]: Failed password for root from > 122.252.245.89 port 57845 ssh2
Thanks for reporting this regression. > To make the regex match again, just drop the $. (Tested with 'kodos'). > What I am unclear about is whether making this change will allow > IP address injections again. Can the wildcard for the <user> match > be made non-greedy? As soon as you have two .* patterns, injections are technically possible. Dropping the $ accounts as one trailing .*. Making the user match non-greedy reintroduces the issue. It must be greedy. > Otherwise, the following regex may be ok: > > Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user > )?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})( > port \d+)? The trailing ( port \d+)? is useless, because it is always fulfilled with the empty string and any garbage beyond is matched by the lack of a $ pattern. This is no improvement over just dropping the $. > This issue is also present in 2.6-7+deb6u2 (I checked regex.py) > and (I infer) 2.6-10+deb7u. Marked in the bts. A real fix seems more involved. Suggestions welcome. Helmut -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org