From f6717be6a4fade0de09f5ad9c509bb69b9867cb7 Mon Sep 17 00:00:00 2001 From: Gary Gregory Date: Fri, 23 Feb 2024 14:17:32 -0500 Subject: [PATCH] Guard against polynomial regular expression used on uncontrolled data in VMSVersioningFTPEntryParser --- src/changes/changes.xml | 1 + .../net/ftp/parser/VMSVersioningFTPEntryParser.java | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/changes/changes.xml b/src/changes/changes.xml index 96aa4c7de..6cfc97e82 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -67,6 +67,7 @@ The type attribute can be add,update,fix,remove. Precompile regular expression in UnixFTPEntryParser.preParse(List<String>). + Guard against polynomial regular expression used on uncontrolled data in VMSVersioningFTPEntryParser. Add protected getters to FTPSClient #204. Add SubnetUtils.toString(). diff --git a/src/main/java/org/apache/commons/net/ftp/parser/VMSVersioningFTPEntryParser.java b/src/main/java/org/apache/commons/net/ftp/parser/VMSVersioningFTPEntryParser.java index 5f7635163..a74eac266 100644 --- a/src/main/java/org/apache/commons/net/ftp/parser/VMSVersioningFTPEntryParser.java +++ b/src/main/java/org/apache/commons/net/ftp/parser/VMSVersioningFTPEntryParser.java @@ -43,7 +43,13 @@ */ public class VMSVersioningFTPEntryParser extends VMSFTPEntryParser { - private static final String REGEX = "(.*?);([0-9]+)\\s*.*"; + /** + * Guard against polynomial regular expression used on uncontrolled data. + * Don't look for more than 20 digits for the version. + * Don't look for more than 80 spaces after the version. + * Don't look for more than 80 characters after the spaces. + */ + private static final String REGEX = "(.*?);([0-9]{1,20})\\s{0,80}.{0,80}"; private static final Pattern PATTERN = Pattern.compile(REGEX); /**