Merge pull request #236 from cdcadman/cve_2023_26112

jelmer · web-flow · commit 7c618b0bbaff · 2024-09-17T10:15:10.000+01:00
Address CVE-2023-26112 ReDoS
diff --git a/src/configobj/validate.py b/src/configobj/validate.py
@@ -541,7 +541,7 @@ class Validator(object):
     """
 
     # this regex does the initial parsing of the checks
-    _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)
+    _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL)
 
     # this regex takes apart keyword arguments
     _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$',  re.DOTALL)
diff --git a/src/tests/test_validate_errors.py b/src/tests/test_validate_errors.py
@@ -3,7 +3,7 @@
 import pytest
 
 from configobj import ConfigObj, get_extra_values, ParseError, NestingError
-from configobj.validate import Validator
+from configobj.validate import Validator, VdtUnknownCheckError
 
 @pytest.fixture()
 def thisdir():
@@ -77,3 +77,11 @@ def test_no_parent(tmpdir, specpath):
     ini.write('[[haha]]')
     with pytest.raises(NestingError):
         conf = ConfigObj(str(ini), configspec=specpath, file_error=True)
+
+
+def test_re_dos(val):
+    value = "aaa"
+    i = 165100
+    attack = '\x00'*i + ')' + '('*i
+    with pytest.raises(VdtUnknownCheckError):
+        val.check(attack, value)
