+39
-4
lines changedFilter options
+39
-4
lines changed Original file line number Diff line number Diff line change
@@ -1083,7 +1083,7 @@ def _qformat(self, aline, bline, atags, btags):
1083 1083 1084 1084
import re
1085 1085 1086 -
def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match):
1086 +
def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match):
1087 1087
r"""
1088 1088
Return 1 for ignorable line: iff `line` is blank or contains a single '#'.
1089 1089
@@ -308,7 +308,7 @@ def rpop(self, user):
308 308
return self._shortcmd('RPOP %s' % user)
309 309 310 310 311 -
timestamp = re.compile(br'\+OK.*(<[^>]+>)')
311 +
timestamp = re.compile(br'\+OK.[^<]*(<.*>)')
312 312 313 313
def apop(self, user, password):
314 314
"""Authorisation
@@ -466,13 +466,33 @@ def _assert_type_error(self, msg, generator, *args):
466 466
list(generator(*args))
467 467
self.assertEqual(msg, str(ctx.exception))
468 468 469 +
class TestJunkAPIs(unittest.TestCase):
470 +
def test_is_line_junk_true(self):
471 +
for line in ['#', ' ', ' #', '# ', ' # ', '']:
472 +
self.assertTrue(difflib.IS_LINE_JUNK(line), repr(line))
473 + 474 +
def test_is_line_junk_false(self):
475 +
for line in ['##', ' ##', '## ', 'abc ', 'abc #', 'Mr. Moose is up!']:
476 +
self.assertFalse(difflib.IS_LINE_JUNK(line), repr(line))
477 + 478 +
def test_is_line_junk_REDOS(self):
479 +
evil_input = ('\t' * 1000000) + '##'
480 +
self.assertFalse(difflib.IS_LINE_JUNK(evil_input))
481 + 482 +
def test_is_character_junk_true(self):
483 +
for char in [' ', '\t']:
484 +
self.assertTrue(difflib.IS_CHARACTER_JUNK(char), repr(char))
485 + 486 +
def test_is_character_junk_false(self):
487 +
for char in ['a', '#', '\n', '\f', '\r', '\v']:
488 +
self.assertFalse(difflib.IS_CHARACTER_JUNK(char), repr(char))
469 489 470 490
def test_main():
471 491
difflib.HtmlDiff._default_prefix = 0
472 492
Doctests = doctest.DocTestSuite(difflib)
473 493
run_unittest(
474 494
TestWithAscii, TestAutojunk, TestSFpatches, TestSFbugs,
475 -
TestOutputFormat, TestBytes, Doctests)
495 +
TestOutputFormat, TestBytes, TestJunkAPIs, Doctests)
476 496 477 497
if __name__ == '__main__':
478 498
test_main()
Original file line number Diff line number Diff line change
@@ -300,9 +300,19 @@ def test_noop(self):
300 300
def test_rpop(self):
301 301
self.assertOK(self.client.rpop('foo'))
302 302 303 -
def test_apop(self):
303 +
def test_apop_normal(self):
304 304
self.assertOK(self.client.apop('foo', 'dummypassword'))
305 305 306 +
def test_apop_REDOS(self):
307 +
# Replace welcome with very long evil welcome.
308 +
# NB The upper bound on welcome length is currently 2048.
309 +
# At this length, evil input makes each apop call take
310 +
# on the order of milliseconds instead of microseconds.
311 +
evil_welcome = b'+OK' + (b'<' * 1000000)
312 +
with test_support.swap_attr(self.client, 'welcome', evil_welcome):
313 +
# The evil welcome is invalid, so apop should throw.
314 +
self.assertRaises(poplib.error_proto, self.client.apop, 'a', 'kb')
315 + 306 316
def test_top(self):
307 317
expected = (b'+OK 116 bytes',
308 318
[b'From: postmaster@python.org', b'Content-Type: text/plain',
@@ -341,6 +341,7 @@ Kushal Das
341 341
Jonathan Dasteel
342 342
Pierre-Yves David
343 343
A. Jesse Jiryu Davis
344 +
Jamie (James C.) Davis
344 345
Merlijn van Deen
345 346
John DeGood
346 347
Ned Deily
@@ -0,0 +1,4 @@
1 +
Regexes in difflib and poplib were vulnerable to catastrophic backtracking.
2 +
These regexes formed potential DOS vectors (REDOS). They have been
3 +
refactored. This resolves CVE-2018-1060 and CVE-2018-1061.
4 +
Patch by Jamie Davis.
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4