+39
-3
lines changedFilter options
+39
-3
lines changed Original file line number Diff line number Diff line change
@@ -1103,7 +1103,7 @@ def _qformat(self, aline, bline, atags, btags):
1103 1103 1104 1104
import re
1105 1105 1106 -
def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match):
1106 +
def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match):
1107 1107
r"""
1108 1108
Return 1 for ignorable line: iff `line` is blank or contains a single '#'.
1109 1109
@@ -274,7 +274,7 @@ def rpop(self, user):
274 274
return self._shortcmd('RPOP %s' % user)
275 275 276 276 277 -
timestamp = re.compile(r'\+OK.*(<[^>]+>)')
277 +
timestamp = re.compile(br'\+OK.[^<]*(<.*>)')
278 278 279 279
def apop(self, user, secret):
280 280
"""Authorisation
@@ -269,13 +269,33 @@ def test_range_format_context(self):
269 269
self.assertEqual(fmt(3,6), '4,6')
270 270
self.assertEqual(fmt(0,0), '0')
271 271 272 +
class TestJunkAPIs(unittest.TestCase):
273 +
def test_is_line_junk_true(self):
274 +
for line in ['#', ' ', ' #', '# ', ' # ', '']:
275 +
self.assertTrue(difflib.IS_LINE_JUNK(line), repr(line))
276 + 277 +
def test_is_line_junk_false(self):
278 +
for line in ['##', ' ##', '## ', 'abc ', 'abc #', 'Mr. Moose is up!']:
279 +
self.assertFalse(difflib.IS_LINE_JUNK(line), repr(line))
280 + 281 +
def test_is_line_junk_REDOS(self):
282 +
evil_input = ('\t' * 1000000) + '##'
283 +
self.assertFalse(difflib.IS_LINE_JUNK(evil_input))
284 + 285 +
def test_is_character_junk_true(self):
286 +
for char in [' ', '\t']:
287 +
self.assertTrue(difflib.IS_CHARACTER_JUNK(char), repr(char))
288 + 289 +
def test_is_character_junk_false(self):
290 +
for char in ['a', '#', '\n', '\f', '\r', '\v']:
291 +
self.assertFalse(difflib.IS_CHARACTER_JUNK(char), repr(char))
272 292 273 293
def test_main():
274 294
difflib.HtmlDiff._default_prefix = 0
275 295
Doctests = doctest.DocTestSuite(difflib)
276 296
run_unittest(
277 297
TestWithAscii, TestAutojunk, TestSFpatches, TestSFbugs,
278 -
TestOutputFormat, Doctests)
298 +
TestOutputFormat, TestJunkAPIs)
279 299 280 300
if __name__ == '__main__':
281 301
test_main()
Original file line number Diff line number Diff line change
@@ -211,6 +211,16 @@ def test_noop(self):
211 211
def test_rpop(self):
212 212
self.assertOK(self.client.rpop('foo'))
213 213 214 +
def test_apop_REDOS(self):
215 +
# Replace welcome with very long evil welcome.
216 +
# NB The upper bound on welcome length is currently 2048.
217 +
# At this length, evil input makes each apop call take
218 +
# on the order of milliseconds instead of microseconds.
219 +
evil_welcome = b'+OK' + (b'<' * 1000000)
220 +
with test_support.swap_attr(self.client, 'welcome', evil_welcome):
221 +
# The evil welcome is invalid, so apop should throw.
222 +
self.assertRaises(poplib.error_proto, self.client.apop, 'a', 'kb')
223 + 214 224
def test_top(self):
215 225
expected = ('+OK 116 bytes',
216 226
['From: postmaster@python.org', 'Content-Type: text/plain',
@@ -318,6 +318,8 @@ Jonathan Dasteel
318 318
Pierre-Yves David
319 319
A. Jesse Jiryu Davis
320 320
Jake Davis
321 +
Jamie (James C.) Davis
322 +
Ratnadeep Debnath
321 323
Merlijn van Deen
322 324
John DeGood
323 325
Ned Deily
@@ -0,0 +1,4 @@
1 +
Regexes in difflib and poplib were vulnerable to catastrophic backtracking.
2 +
These regexes formed potential DOS vectors (REDOS). They have been
3 +
refactored. This resolves CVE-2018-1060 and CVE-2018-1061.
4 +
Patch by Jamie Davis.
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4