Skip to content

Commit

Permalink
Fixed potential DoS attack via WHEEL_INFO_RE
Browse files Browse the repository at this point in the history
  • Loading branch information
agronholm committed Oct 20, 2022
1 parent e9f7a60 commit 88f02bc
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 2 deletions.
1 change: 1 addition & 0 deletions docs/news.rst
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ Release Notes
- The handling of ``license_files`` (including glob patterns and default
values) is now delegated to ``setuptools>=57.0.0`` (#466).
The package dependencies were updated to reflect this change.
- Fixed potential DoS attack via the ``WHEEL_INFO_RE`` regular expression

**0.37.1 (2021-12-22)**

Expand Down
4 changes: 2 additions & 2 deletions src/wheel/wheelfile.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@
# Non-greedy matching of an optional build number may be too clever (more
# invalid wheel filenames will match). Separate regex for .dist-info?
WHEEL_INFO_RE = re.compile(
r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))?
-(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""",
r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
-(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
re.VERBOSE,
)

Expand Down

3 comments on commit 88f02bc

@dholth
Copy link
Member

@dholth dholth commented on 88f02bc Nov 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

whoah

@zhuofeng6
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to reproduce it?

@zhuofeng6
Copy link

@zhuofeng6 zhuofeng6 commented on 88f02bc Feb 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think i found, #498

Please sign in to comment.