From: Nicholas Serra Date: Wed, 20 Jan 2021 17:23:21 -0500 Subject: [1/3] Regex DOS fixes Origin: https://github.com/trentm/python-markdown2/commit/96dff22341489459c8cb832fdfd066a588ec23bf Bug: https://github.com/trentm/python-markdown2/pull/387 Bug-Debian: https://bugs.debian.org/984668 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-26813 --- lib/markdown2.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/markdown2.py b/lib/markdown2.py index bb5260bef210..f3e41cc19d13 100755 --- a/lib/markdown2.py +++ b/lib/markdown2.py @@ -532,7 +532,7 @@ class Markdown(object): return tail - _emacs_oneliner_vars_pat = re.compile(r"-\*-\s*([^\r\n]*?)\s*-\*-", re.UNICODE) + _emacs_oneliner_vars_pat = re.compile(r"-\*-\s*(?:(\S[^\r\n]*?)([\r\n]\s*)?)?-\*-", re.UNICODE) # This regular expression is intended to match blocks like this: # PREFIX Local Variables: SUFFIX # PREFIX mode: Tcl SUFFIX @@ -892,8 +892,8 @@ class Markdown(object): ''' # First pass to define all the references self.regex_defns = re.compile(r''' - \[\#(\w+)\s* # the counter. Open square plus hash plus a word \1 - ([^@]*)\s* # Some optional characters, that aren't an @. \2 + \[\#(\w+) # the counter. Open square plus hash plus a word \1 + ([^@]*) # Some optional characters, that aren't an @. \2 @(\w+) # the id. Should this be normed? \3 ([^\]]*)\] # The rest of the text up to the terminating ] \4 ''', re.VERBOSE) @@ -908,7 +908,7 @@ class Markdown(object): if len(match.groups()) != 4: continue counter = match.group(1) - text_before = match.group(2) + text_before = match.group(2).strip() ref_id = match.group(3) text_after = match.group(4) number = counters.get(counter, 1) @@ -1926,7 +1926,7 @@ class Markdown(object): _fenced_code_block_re = re.compile(r''' (?:\n+|\A\n?) - ^```\s*?([\w+-]+)?\s*?\n # opening fence, $1 = optional lang + ^```\s{0,2}([\w+-]+)?\s*?\n # opening fence, $1 = optional lang (.*?) # $2 = code block content ^```[ \t]*\n # closing fence ''', re.M | re.X | re.S) -- 2.32.0.rc0