Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
systemsmanagement:Uyuni:Master:SLE15-Uyuni-Client-Tools:Build-Dependencies
saltbundlepy-py
CVE-2020-29651.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2020-29651.patch of Package saltbundlepy-py
From 4a9017dc6199d2a564b6e4b0aa39d6d8870e4144 Mon Sep 17 00:00:00 2001 From: Ran Benita <ran@unusedvar.com> Date: Fri, 4 Sep 2020 13:57:26 +0300 Subject: [PATCH] svnwc: fix regular expression vulnerable to DoS in blame functionality The subpattern `\d+\s*\S+` is ambiguous which makes the pattern subject to catastrophic backtracing given a string like `"1" * 5000`. SVN blame output seems to always have at least one space between the revision number and the user name, so the ambiguity can be fixed by changing the `*` to `+`. Fixes #256. --- py/_path/svnwc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/py/_path/svnwc.py b/py/_path/svnwc.py index 3138dd85..b5b9d8d5 100644 --- a/py/_path/svnwc.py +++ b/py/_path/svnwc.py @@ -396,7 +396,7 @@ def makecmdoptions(self): def __str__(self): return "<SvnAuth username=%s ...>" %(self.username,) -rex_blame = re.compile(r'\s*(\d+)\s*(\S+) (.*)') +rex_blame = re.compile(r'\s*(\d+)\s+(\S+) (.*)') class SvnWCCommandPath(common.PathBase): """ path implementation offering access/modification to svn working copies.
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor