Skip to content

Prevent regex intensive execution which may cause DoS#21

Open
giosh94mhz wants to merge 1 commit into
schwern:masterfrom
giosh94mhz:prevent_regex_dos
Open

Prevent regex intensive execution which may cause DoS#21
giosh94mhz wants to merge 1 commit into
schwern:masterfrom
giosh94mhz:prevent_regex_dos

Conversation

@giosh94mhz

Copy link
Copy Markdown

There are many dot-asterisk greedy matches which may cause
very intensive, even indefinite, execution of the script.

The worst one was the schemeRe match, which if executed
(by accident, or by honoring the MIME headers) against a
base64 text will cause infinite execution.

This patch tested against a ~1MB file, will drop execution
wall-clock time from many hundred of seconds, to a couple of seconds.

There are many dot-asterisk greedy matches which may cause
very intensive, even indefinite, execution of the script.

The worst one was the schemeRe match, which if executed
(by accident, or by honoring the MIME headers) against a
base64 text will cause infinite execution.

This patch tested against a ~1MB file, will drop execution
wall-clock time from many hundred of seconds, to a couple
of seconds.
@giosh94mhz giosh94mhz force-pushed the prevent_regex_dos branch from 7beb6a4 to 891ecec Compare May 7, 2020 16:09
@giosh94mhz

Copy link
Copy Markdown
Author

The limit on the scheme to 16 chars, has been set checking against the list in issue #4 , and 16 looks ok to me.

Increasing this number to let's say 32, will slow down my samples from ~1 seconds to ~5 seconds, but still better then keeping an open match.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant