26 lines
1.0 KiB
Diff
26 lines
1.0 KiB
Diff
From 88f02bc335d5404991e532e7f3b0fc80437bf4e0 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Alex=20Gr=C3=B6nholm?= <alex.gronholm@nextday.fi>
|
|
Date: Thu, 20 Oct 2022 17:13:23 +0300
|
|
Subject: [PATCH] Fixed potential DoS attack via WHEEL_INFO_RE
|
|
|
|
Refer: https://github.com/pypa/wheel/issues/498
|
|
|
|
---
|
|
wheel/install.py | 4 ++--
|
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/wheel/install.py b/wheel/install.py
|
|
index a0c9d2a5..b985774e 100644
|
|
--- a/wheel/install.py
|
|
+++ b/wheel/install.py
|
|
@@ -16,8 +16,8 @@
|
|
# Non-greedy matching of an optional build number may be too clever (more
|
|
# invalid wheel filenames will match). Separate regex for .dist-info?
|
|
WHEEL_INFO_RE = re.compile(
|
|
- r"""^(?P<namever>(?P<name>.+?)-(?P<ver>\d.*?))(-(?P<build>\d.*?))?
|
|
- -(?P<pyver>[a-z].+?)-(?P<abi>.+?)-(?P<plat>.+?)(\.whl|\.dist-info)$""",
|
|
+ r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>\d[^-]*?))(-(?P<build>\d[^-]*?))?
|
|
+ -(?P<pyver>[a-z][^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)(\.whl|\.dist-info)$""",
|
|
re.VERBOSE).match
|
|
|