Merge pull request #2 from ActiveState/BE-2343-cve-2022-40897

icanhasmath · web-flow · commit 2d1e5bd4df4f · 2023-05-03T17:26:04.000-05:00
BE-2343-cve-2022-40897
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,3 +1,8 @@
+v44.1.1.1
+-------
+
+* #3659: Limit the amount of whitespace to search/backtrack (CVE-2022-40897)
+
 v44.1.1
 -------
 
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
@@ -214,8 +214,10 @@ def wrapper(*args, **kwargs):
     return wrapper
 
 
-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
-# this line is here to fix emacs' cruddy broken syntax highlighting
+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+"""
+Regex for an HTML tag with 'rel="val"' attributes.
+"""
 
 
 @unique_values
diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
@@ -337,3 +337,11 @@ def test_percent_in_password(self, tmpdir, monkeypatch):
         cred = cfg.creds_by_repository['https://pypi.org']
         assert cred.username == 'jaraco'
         assert cred.password == 'pity%'
+
+
+@pytest.mark.timeout(1)
+def test_REL_DoS():
+    """
+    REL should not hang on a contrived attack string.
+    """
+    setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)
