diff options
Diffstat (limited to 'dev-python/future/files/future-0.18.2-cve-2022-40899.patch')
-rw-r--r-- | dev-python/future/files/future-0.18.2-cve-2022-40899.patch | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/dev-python/future/files/future-0.18.2-cve-2022-40899.patch b/dev-python/future/files/future-0.18.2-cve-2022-40899.patch deleted file mode 100644 index c7341e0d6fdb..000000000000 --- a/dev-python/future/files/future-0.18.2-cve-2022-40899.patch +++ /dev/null @@ -1,52 +0,0 @@ -From c91d70b34ef0402aef3e9d04364ba98509dca76f Mon Sep 17 00:00:00 2001 -From: Will Shanks <wshaos@posteo.net> -Date: Fri, 23 Dec 2022 13:38:26 -0500 -Subject: [PATCH] Backport fix for bpo-38804 - -The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular -expression denial of service (REDoS). The regex contained multiple -overlapping \s* capture groups. A long sequence of spaces can trigger -bad performance. - -See https://github.com/python/cpython/pull/17157 and https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/ ---- - src/future/backports/http/cookiejar.py | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/src/future/backports/http/cookiejar.py b/src/future/backports/http/cookiejar.py -index af3ef415..0ad80a02 100644 ---- a/src/future/backports/http/cookiejar.py -+++ b/src/future/backports/http/cookiejar.py -@@ -225,10 +225,14 @@ def _str2time(day, mon, yr, hr, min, sec, tz): - (?::(\d\d))? # optional seconds - )? # optional clock - \s* -- ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone -+ (?: -+ ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone -+ \s* -+ )? -+ (?: -+ \(\w+\) # ASCII representation of timezone in parens. - \s* -- (?:\(\w+\))? # ASCII representation of timezone in parens. -- \s*$""", re.X | re.ASCII) -+ )?$""", re.X | re.ASCII) - def http2time(text): - """Returns time in seconds since epoch of time represented by a string. - -@@ -298,9 +302,11 @@ def http2time(text): - (?::?(\d\d(?:\.\d*)?))? # optional seconds (and fractional) - )? # optional clock - \s* -- ([-+]?\d\d?:?(:?\d\d)? -- |Z|z)? # timezone (Z is "zero meridian", i.e. GMT) -- \s*$""", re.X | re. ASCII) -+ (?: -+ ([-+]?\d\d?:?(:?\d\d)? -+ |Z|z) # timezone (Z is "zero meridian", i.e. GMT) -+ \s* -+ )?$""", re.X | re. ASCII) - def iso2time(text): - """ - As for http2time, but parses the ISO 8601 formats: |