33 lines
1.1 KiB
Diff
33 lines
1.1 KiB
Diff
From a9a0d67a663f20b69903751c23851dd4cd6b49d4 Mon Sep 17 00:00:00 2001
|
|
From: Narpat Mali <narpat.mali@windriver.com>
|
|
Date: Wed, 11 Jan 2023 07:45:57 +0000
|
|
Subject: [PATCH] Fixed potential DoS attack via WHEEL_INFO_RE
|
|
|
|
CVE: CVE-2022-40898
|
|
|
|
Upstream-Status: Backport [https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0]
|
|
|
|
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
|
|
---
|
|
src/wheel/wheelfile.py | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py
|
|
index 21e7361..ff06edf 100644
|
|
--- a/src/wheel/wheelfile.py
|
|
+++ b/src/wheel/wheelfile.py
|
|
@@ -27,8 +27,8 @@ else:
|
|
# Non-greedy matching of an optional build number may be too clever (more
|
|
# invalid wheel filenames will match). Separate regex for .dist-info?
|
|
WHEEL_INFO_RE = re.compile(
|
|
- r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))?
|
|
- -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""",
|
|
+ r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
|
|
+ -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
|
|
re.VERBOSE)
|
|
|
|
|
|
--
|
|
2.32.0
|
|
|