[Python-checkins] [3.8] bpo-46474: Avoid REDoS in EntryPoint.pattern (sync with importlib_metadata 4.10.1) (GH-30803). (#30829)
ambv
webhook-mailer at python.org
Mon Feb 14 12:56:18 EST 2022
https://github.com/python/cpython/commit/8a84aef0123bd8c13cf81fbc3b5f6d45f96c2656
commit: 8a84aef0123bd8c13cf81fbc3b5f6d45f96c2656
branch: 3.8
author: Jason R. Coombs <jaraco at jaraco.com>
committer: ambv <lukasz at langa.pl>
date: 2022-02-14T18:56:03+01:00
summary:
[3.8] bpo-46474: Avoid REDoS in EntryPoint.pattern (sync with importlib_metadata 4.10.1) (GH-30803). (#30829)
(cherry picked from commit 51c3e28c8a163e58dc753765e3cc51d5a717e70d)
Co-authored-by: Jason R. Coombs <jaraco at jaraco.com>
files:
A Misc/NEWS.d/next/Library/2022-01-22-14-49-10.bpo-46474.eKQhvx.rst
M Lib/importlib/metadata.py
diff --git a/Lib/importlib/metadata.py b/Lib/importlib/metadata.py
index 9d2285cb4d46d..c8d533c5c2b32 100644
--- a/Lib/importlib/metadata.py
+++ b/Lib/importlib/metadata.py
@@ -49,8 +49,8 @@ class EntryPoint(
pattern = re.compile(
r'(?P<module>[\w.]+)\s*'
- r'(:\s*(?P<attr>[\w.]+))?\s*'
- r'(?P<extras>\[.*\])?\s*$'
+ r'(:\s*(?P<attr>[\w.]+)\s*)?'
+ r'((?P<extras>\[.*\])\s*)?$'
)
"""
A regular expression describing the syntax for an entry point,
diff --git a/Misc/NEWS.d/next/Library/2022-01-22-14-49-10.bpo-46474.eKQhvx.rst b/Misc/NEWS.d/next/Library/2022-01-22-14-49-10.bpo-46474.eKQhvx.rst
new file mode 100644
index 0000000000000..156b7de4f6787
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-01-22-14-49-10.bpo-46474.eKQhvx.rst
@@ -0,0 +1,2 @@
+In ``importlib.metadata.EntryPoint.pattern``, avoid potential REDoS by
+limiting ambiguity in consecutive whitespace.
More information about the Python-checkins
mailing list