From eac3276bee21350d182654d35c06648e148a7563 Mon Sep 17 00:00:00 2001 From: Yash Shete Date: Thu, 5 Nov 2020 20:41:51 +0530 Subject: [PATCH 01/10] Unnessery regex conditions are removed bpo-41712: Removal of Unnessery regex conditions Using suggestion For example, you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+ which should Fix the issue of vulnerable regex. Test Result : Working as intended Sorry if this not much this is my first pr to big org. --- Tools/msi/purge.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tools/msi/purge.py b/Tools/msi/purge.py index a8b8f4d8973c40..6ea0b8a51d7e32 100644 --- a/Tools/msi/purge.py +++ b/Tools/msi/purge.py @@ -12,7 +12,7 @@ from urllib.request import * -VERSION_RE = re.compile(r'(\d+\.\d+\.\d+)(\w+\d+)?$') +VERSION_RE = re.compile(r'(\d+\.\d+\.\d+)(\w+)$') try: m = VERSION_RE.match(sys.argv[1]) From f3f47257266ef44832819ec24eb629434d8b7dd3 Mon Sep 17 00:00:00 2001 From: Yash Shete Date: Thu, 5 Nov 2020 20:51:02 +0530 Subject: [PATCH 02/10] Vulnerable regex conditions are removed bpo-41712: Removal of Vulnerable regex conditions Using suggestion ""For example, you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+"" and converted to ([A-za-z_]+\d+) which should Fix the issue of vulnerable regex. Test Result : Working as intended Sorry if this not much this is my first pr to big org. --- Tools/msi/purge.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tools/msi/purge.py b/Tools/msi/purge.py index 6ea0b8a51d7e32..b7515bca742b35 100644 --- a/Tools/msi/purge.py +++ b/Tools/msi/purge.py @@ -12,7 +12,7 @@ from urllib.request import * -VERSION_RE = re.compile(r'(\d+\.\d+\.\d+)(\w+)$') +VERSION_RE = re.compile(r'(\d+\.\d+\.\d+)([A-Za-z_]+\d+)$') try: m = VERSION_RE.match(sys.argv[1]) From 8e502ad8f35e4f51d73f2d2dbadb063dd2082e28 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Fri, 6 Nov 2020 07:13:18 +0000 Subject: [PATCH 03/10] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20b?= =?UTF-8?q?lurb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 Misc/NEWS.d/next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst diff --git a/Misc/NEWS.d/next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst b/Misc/NEWS.d/next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst new file mode 100644 index 00000000000000..b81da907032d9e --- /dev/null +++ b/Misc/NEWS.d/next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst @@ -0,0 +1,5 @@ +Using suggestion ""For example, you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+"" and converted to ([A-za-z_]+\d+) +which should Fix the issue of vulnerable regex. ""can be exploited with the following string "1.1.1"+"1" * 5000 + "!" "" + +Test Result : Working as intended +Sorry if this not much this is my first pr to big org. \ No newline at end of file From 9a4c1a58e513ed366685331968b5d96b2a0aa7b1 Mon Sep 17 00:00:00 2001 From: Yash Shete Date: Fri, 6 Nov 2020 13:18:55 +0530 Subject: [PATCH 04/10] edited --- .../next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Misc/NEWS.d/next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst b/Misc/NEWS.d/next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst index b81da907032d9e..b32b36eb26b1d6 100644 --- a/Misc/NEWS.d/next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst +++ b/Misc/NEWS.d/next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst @@ -1,5 +1,5 @@ -Using suggestion ""For example, you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+"" and converted to ([A-za-z_]+\d+) +Using suggestion ""For example, you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+"" and converted to "([A-za-z_]+\d+)" which should Fix the issue of vulnerable regex. ""can be exploited with the following string "1.1.1"+"1" * 5000 + "!" "" Test Result : Working as intended -Sorry if this not much this is my first pr to big org. \ No newline at end of file +Sorry if this not much this is my first pr to big org. From fddf4f1dd7b2cce118a379ca204e293e773cb461 Mon Sep 17 00:00:00 2001 From: Yash Shete Date: Fri, 6 Nov 2020 13:28:30 +0530 Subject: [PATCH 05/10] edited for avoiding docs failure --- .../next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst b/Misc/NEWS.d/next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst index b32b36eb26b1d6..de13fe2055b764 100644 --- a/Misc/NEWS.d/next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst +++ b/Misc/NEWS.d/next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst @@ -1,4 +1,4 @@ -Using suggestion ""For example, you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+"" and converted to "([A-za-z_]+\d+)" +Using suggestion from bug tracker messages which should Fix the issue of vulnerable regex. ""can be exploited with the following string "1.1.1"+"1" * 5000 + "!" "" Test Result : Working as intended From d4004c6070e0b7e90d5f5608c24946edbe784c43 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Fri, 6 Nov 2020 09:12:14 +0000 Subject: [PATCH 06/10] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20b?= =?UTF-8?q?lurb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../next/Tools-Demos/2020-11-06-09-12-13.bpo-41712.WOEkdm.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Tools-Demos/2020-11-06-09-12-13.bpo-41712.WOEkdm.rst diff --git a/Misc/NEWS.d/next/Tools-Demos/2020-11-06-09-12-13.bpo-41712.WOEkdm.rst b/Misc/NEWS.d/next/Tools-Demos/2020-11-06-09-12-13.bpo-41712.WOEkdm.rst new file mode 100644 index 00000000000000..d3d8c486e6d195 --- /dev/null +++ b/Misc/NEWS.d/next/Tools-Demos/2020-11-06-09-12-13.bpo-41712.WOEkdm.rst @@ -0,0 +1 @@ +Using suggestion from bug tracker messages. Regex has been changed which should Fix the issue of vulnerable regex which can be exploited. Test Result is Working as intended \ No newline at end of file From 40b6373b0cad2e1fa89e8fcca14ac0ba86ddcb9c Mon Sep 17 00:00:00 2001 From: Yash Shete Date: Fri, 6 Nov 2020 14:47:16 +0530 Subject: [PATCH 07/10] linux test failure reason --- .../Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 Misc/NEWS.d/next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst diff --git a/Misc/NEWS.d/next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst b/Misc/NEWS.d/next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst deleted file mode 100644 index de13fe2055b764..00000000000000 --- a/Misc/NEWS.d/next/Tools-Demos/2020-11-06-07-13-17.bpo-41712.NUnkyX.rst +++ /dev/null @@ -1,5 +0,0 @@ -Using suggestion from bug tracker messages -which should Fix the issue of vulnerable regex. ""can be exploited with the following string "1.1.1"+"1" * 5000 + "!" "" - -Test Result : Working as intended -Sorry if this not much this is my first pr to big org. From 52f7af2d1aaa1ec6d18c23289ded09b12df175b8 Mon Sep 17 00:00:00 2001 From: Yash Shete Date: Sat, 7 Nov 2020 12:16:34 +0530 Subject: [PATCH 08/10] Update Misc/NEWS.d/next/Tools-Demos/2020-11-06-09-12-13.bpo-41712.WOEkdm.rst Co-authored-by: kj <28750310+Fidget-Spinner@users.noreply.github.com> --- .../next/Tools-Demos/2020-11-06-09-12-13.bpo-41712.WOEkdm.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Tools-Demos/2020-11-06-09-12-13.bpo-41712.WOEkdm.rst b/Misc/NEWS.d/next/Tools-Demos/2020-11-06-09-12-13.bpo-41712.WOEkdm.rst index d3d8c486e6d195..fcd7595594fb50 100644 --- a/Misc/NEWS.d/next/Tools-Demos/2020-11-06-09-12-13.bpo-41712.WOEkdm.rst +++ b/Misc/NEWS.d/next/Tools-Demos/2020-11-06-09-12-13.bpo-41712.WOEkdm.rst @@ -1 +1 @@ -Using suggestion from bug tracker messages. Regex has been changed which should Fix the issue of vulnerable regex which can be exploited. Test Result is Working as intended \ No newline at end of file +A regex pattern in the purge script (which is only used internally for creating Windows installers) was vulnerable to regex denial of service. The pattern was changed to fix this. From eb1500c511fb2e55f15f487a34c9c2440705e349 Mon Sep 17 00:00:00 2001 From: Yash Shete Date: Sat, 7 Nov 2020 12:25:10 +0530 Subject: [PATCH 09/10] Update Tools/msi/purge.py Co-authored-by: kj <28750310+Fidget-Spinner@users.noreply.github.com> --- Tools/msi/purge.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tools/msi/purge.py b/Tools/msi/purge.py index b7515bca742b35..27b6b054a445ad 100644 --- a/Tools/msi/purge.py +++ b/Tools/msi/purge.py @@ -12,7 +12,7 @@ from urllib.request import * -VERSION_RE = re.compile(r'(\d+\.\d+\.\d+)([A-Za-z_]+\d+)$') +VERSION_RE = re.compile(r'(\d+\.\d+\.\d+)([A-Za-z_]+\d+)?$') try: m = VERSION_RE.match(sys.argv[1]) From aab27c274f5061a61b4f98fba8618d547c591626 Mon Sep 17 00:00:00 2001 From: Yash Shete Date: Sat, 7 Nov 2020 13:26:46 +0530 Subject: [PATCH 10/10] Updated news --- .../next/Tools-Demos/2020-11-06-09-12-13.bpo-41712.WOEkdm.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Tools-Demos/2020-11-06-09-12-13.bpo-41712.WOEkdm.rst b/Misc/NEWS.d/next/Tools-Demos/2020-11-06-09-12-13.bpo-41712.WOEkdm.rst index fcd7595594fb50..9d190539b3586a 100644 --- a/Misc/NEWS.d/next/Tools-Demos/2020-11-06-09-12-13.bpo-41712.WOEkdm.rst +++ b/Misc/NEWS.d/next/Tools-Demos/2020-11-06-09-12-13.bpo-41712.WOEkdm.rst @@ -1 +1 @@ -A regex pattern in the purge script (which is only used internally for creating Windows installers) was vulnerable to regex denial of service. The pattern was changed to fix this. +A regex pattern in the purge script (which is only used internally for creating Windows installers) was vulnerable to regex denial of service.The pattern was changed to fix this.