Possible ReDoS

[elcreator]

https://github.com/phalcon/bridge-swoole/blob/master/src/Request.php#L180
should be like

#(\\w+)=(["\'])?([^"\', ]+)(\\2)?#

to mitigate so called "catastrophic backtracking" https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS when provided input like "a=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
(or optionally even stricter if it's possible to replace "+" with reasonable max length)

[elcreator]

Looks like it's really minor one for php8.2, with 4 times performance difference between regexes for 1MB payload, i.e. nothing catastrophic but worth checking. I just generated the next code to check:

function generate_long_input($length) {
    // Generate a long string with repetitive patterns that could cause backtracking
    $base = 'key="';
    $middle = 'a';
    $repeated = str_repeat($middle, $length);
    return $base . $repeated; // No closing quote to simulate the problematic scenario
}

$patternOriginal = "#(\\w+)=(['\"]?)([^'\" ,]+)\\2#"; // Original regex with mandatory backreference
$patternRevised =  '#(\\w+)=(["\'])?([^"\', ]+)(\\2)?#'; // Revised regex with optional backreference

// Generate a long input string
$input = generate_long_input(1000000);  // You can adjust the length to see the difference

// Measure execution time for the revised pattern
$start_time = microtime(true);
preg_match_all($patternRevised, $input, $matchesRevised);
$end_time = microtime(true);
$timeRevised = $end_time - $start_time;

// Measure execution time for the original pattern
$start_time = microtime(true);
preg_match_all($patternOriginal, $input, $matchesOriginal);
$end_time = microtime(true);
$timeOriginal = $end_time - $start_time;

// Output the results
echo "Execution time for the original pattern: " . $timeOriginal . " seconds\n";
echo "Execution time for the revised pattern: " . $timeRevised . " seconds\n";