lainns-mirror/noctalia-shell
1
0
Fork 0
mirror of https://github.com/noctalia-dev/noctalia-shell.git synced 2026-05-11 17:08:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(renderer): remove ambiguous \s* from _BLOCK_RE to prevent ReDoS

Browse Source 
The pattern \s*(.*?)\s* allowed polynomial backtracking when no closing
*> delimiter was found — confirmed to hang at n=5000 whitespace chars.
The \s* wrappers were redundant since group(1) is already stripped at
the call site (line 278).

Reported and patched with @pa1va. Closes #2323
This commit is contained in:
cbxcvl
2026-03-27 13:42:01 -03:00
parent f19a19cfc6
commit 4ad7ffbbdf
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Scripts/python/src/theming/lib/renderer.py
+1 -1
View File
@@ -138,7 +138,7 @@ class TemplateRenderer:
COLOR_ARG_FILTERS = {"blend", "harmonize"}
# Regex for block delimiters: <* ... *>
_BLOCK_RE = re.compile(r'<\*\s*(.*?)\s*\*>', re.DOTALL)
_BLOCK_RE = re.compile(r'<\*(.*?)\*>', re.DOTALL)
# Regex for expression tags: {{ ... }}
_EXPR_RE = re.compile(r"\{\{\s*([^}\n]+?)\s*\}\}")