From: =?utf-8?q?Bastien_Roucari=C3=A8s?= Date: Wed, 1 Mar 2023 11:45:48 +0000 Subject: Final ReDos Fix for CVE-2022-21222/CVE-2021-33587: whitespace fix MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Replace \s that could match whitespace in \u00b0-\uFFFF, by [ \t\n\r\f]* that is space according to css specification Upstream version 4.0.0 allowed to match indent name including non breakable UTF, keep this feature. Signed-off-by: Bastien Roucariès bug-debian: https://bugs.debian.org/989264 bug-debian: https://bugs.debian.org/1032188 bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 Signed-off-by: Bastien Roucariès --- src/parse.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/parse.ts b/src/parse.ts index fcae1e3..278eecf 100644 --- a/src/parse.ts +++ b/src/parse.ts @@ -81,7 +81,7 @@ export type TraversalType = const reName = /^[^\\#]?(?:\\(?:[\da-f]{1,6}\s?|.)|[\w\-\u00b0-\uFFFF])+/; const reEscape = /\\([\da-f]{1,6}\s?|(\s)|.)/gi; // Modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87 -const reAttr = /^(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4\s*|(#(?:\\.|[\w\u00b0-\uFFFF-])*|(?:\\.|[\w\u00b0-\uFFFF-])+)\s*|)|)([iI])?\]/; +const reAttr = /^(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)[ \t\n\r\f]*(?:([~|^$*!]?)=[ \t\n\r\f]*(?:(['"])((?:[^\\]|\\[^])*?)\4[ \t\n\r\f]*|(#(?:\\.|[\w\u00b0-\uFFFF-])*|(?:\\.|[\w\u00b0-\uFFFF-])+)[ \t\n\r\f]*|)|)([iI])?\]/; const actionTypes: { [key: string]: AttributeAction } = { undefined: "exists",