53 lines
1.5 KiB
Diff
53 lines
1.5 KiB
Diff
diff --git a/setup.cfg b/setup.cfg
|
|
index fc4ad5b..9dcc0e3 100644
|
|
--- a/setup.cfg
|
|
+++ b/setup.cfg
|
|
@@ -47,6 +47,7 @@ testing =
|
|
pytest-xdist
|
|
sphinx
|
|
jaraco.path>=3.2.0
|
|
+ pytest-timeout
|
|
docs =
|
|
sphinx
|
|
jaraco.packaging >= 8.2
|
|
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
|
|
index 270e7f3..8b6ff64 100644
|
|
--- a/setuptools/package_index.py
|
|
+++ b/setuptools/package_index.py
|
|
@@ -1,4 +1,5 @@
|
|
-"""PyPI and direct package downloading"""
|
|
+"""PyPI and direct package downloading."""
|
|
+
|
|
import sys
|
|
import os
|
|
import re
|
|
@@ -197,8 +198,10 @@ def unique_values(func):
|
|
return wrapper
|
|
|
|
|
|
-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
|
|
-# this line is here to fix emacs' cruddy broken syntax highlighting
|
|
+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
|
|
+"""
|
|
+Regex for an HTML tag with 'rel="val"' attributes.
|
|
+"""
|
|
|
|
|
|
@unique_values
|
|
diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
|
|
index 8e9435e..fc544c0 100644
|
|
--- a/setuptools/tests/test_packageindex.py
|
|
+++ b/setuptools/tests/test_packageindex.py
|
|
@@ -308,3 +308,11 @@ class TestPyPIConfig:
|
|
cred = cfg.creds_by_repository['https://pypi.org']
|
|
assert cred.username == 'jaraco'
|
|
assert cred.password == 'pity%'
|
|
+
|
|
+
|
|
+@pytest.mark.timeout(1)
|
|
+def test_REL_DoS():
|
|
+ """
|
|
+ REL should not hang on a contrived attack string.
|
|
+ """
|
|
+ setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)
|