+39
-4
lines changedFilter options
+39
-4
lines changed Original file line number Diff line number Diff line change
@@ -1084,7 +1084,7 @@ def _qformat(self, aline, bline, atags, btags):
1084 1084 1085 1085
import re
1086 1086 1087 -
def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match):
1087 +
def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match):
1088 1088
r"""
1089 1089
Return 1 for ignorable line: iff `line` is blank or contains a single '#'.
1090 1090
@@ -304,7 +304,7 @@ def rpop(self, user):
304 304
return self._shortcmd('RPOP %s' % user)
305 305 306 306 307 -
timestamp = re.compile(br'\+OK.*(<[^>]+>)')
307 +
timestamp = re.compile(br'\+OK.[^<]*(<.*>)')
308 308 309 309
def apop(self, user, password):
310 310
"""Authorisation
@@ -286,13 +286,33 @@ def test_range_format_context(self):
286 286
self.assertEqual(fmt(3,6), '4,6')
287 287
self.assertEqual(fmt(0,0), '0')
288 288 289 +
class TestJunkAPIs(unittest.TestCase):
290 +
def test_is_line_junk_true(self):
291 +
for line in ['#', ' ', ' #', '# ', ' # ', '']:
292 +
self.assertTrue(difflib.IS_LINE_JUNK(line), repr(line))
293 + 294 +
def test_is_line_junk_false(self):
295 +
for line in ['##', ' ##', '## ', 'abc ', 'abc #', 'Mr. Moose is up!']:
296 +
self.assertFalse(difflib.IS_LINE_JUNK(line), repr(line))
297 + 298 +
def test_is_line_junk_REDOS(self):
299 +
evil_input = ('\t' * 1000000) + '##'
300 +
self.assertFalse(difflib.IS_LINE_JUNK(evil_input))
301 + 302 +
def test_is_character_junk_true(self):
303 +
for char in [' ', '\t']:
304 +
self.assertTrue(difflib.IS_CHARACTER_JUNK(char), repr(char))
305 + 306 +
def test_is_character_junk_false(self):
307 +
for char in ['a', '#', '\n', '\f', '\r', '\v']:
308 +
self.assertFalse(difflib.IS_CHARACTER_JUNK(char), repr(char))
289 309 290 310
def test_main():
291 311
difflib.HtmlDiff._default_prefix = 0
292 312
Doctests = doctest.DocTestSuite(difflib)
293 313
run_unittest(
294 314
TestWithAscii, TestAutojunk, TestSFpatches, TestSFbugs,
295 -
TestOutputFormat, Doctests)
315 +
TestOutputFormat, TestJunkAPIs, Doctests)
296 316 297 317
if __name__ == '__main__':
298 318
test_main()
Original file line number Diff line number Diff line change
@@ -294,9 +294,19 @@ def test_noop(self):
294 294
def test_rpop(self):
295 295
self.assertOK(self.client.rpop('foo'))
296 296 297 -
def test_apop(self):
297 +
def test_apop_normal(self):
298 298
self.assertOK(self.client.apop('foo', 'dummypassword'))
299 299 300 +
def test_apop_REDOS(self):
301 +
# Replace welcome with very long evil welcome.
302 +
# NB The upper bound on welcome length is currently 2048.
303 +
# At this length, evil input makes each apop call take
304 +
# on the order of milliseconds instead of microseconds.
305 +
evil_welcome = b'+OK' + (b'<' * 1000000)
306 +
with test_support.swap_attr(self.client, 'welcome', evil_welcome):
307 +
# The evil welcome is invalid, so apop should throw.
308 +
self.assertRaises(poplib.error_proto, self.client.apop, 'a', 'kb')
309 + 300 310
def test_top(self):
301 311
expected = (b'+OK 116 bytes',
302 312
[b'From: postmaster@python.org', b'Content-Type: text/plain',
@@ -319,6 +319,7 @@ Kushal Das
319 319
Jonathan Dasteel
320 320
Pierre-Yves David
321 321
A. Jesse Jiryu Davis
322 +
Jamie (James C.) Davis
322 323
Merlijn van Deen
323 324
John DeGood
324 325
Ned Deily
@@ -0,0 +1,4 @@
1 +
Regexes in difflib and poplib were vulnerable to catastrophic backtracking.
2 +
These regexes formed potential DOS vectors (REDOS). They have been
3 +
refactored. This resolves CVE-2018-1060 and CVE-2018-1061.
4 +
Patch by Jamie Davis.
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4