-
Notifications
You must be signed in to change notification settings - Fork 427
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A ReDoS vulnerability exists in markdown2.py #493
Comments
Thanks for the report! Yes if you'd like to contribute a patch a PR is welcome :) |
Crozzers
added a commit
to Crozzers/python-markdown2
that referenced
this issue
Oct 18, 2023
…egex oversight. Forgot to apply all the same changes to code friendly strong re that I did to regular strong re
nicholasserra
added a commit
that referenced
this issue
Oct 20, 2023
Fix #493 persisting when `code-friendly` extra enabled
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The affected code is located in markdown2.py-line2251. It uses the vulnerable regular expression
\*\*(?=\S)(.+?[*_]*)(?<=\S)\*\*
. When the match fails, it will cause catastrophic backtracking.I trigger the vulnerability using the python script below
I can provide you a patch to repair the ReDoS vulnerability
The text was updated successfully, but these errors were encountered: