Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
CVE-2019-16215: Fix DoS vulnerability in Markdown LINK_RE.
Any regex including a match-everything subpattern (.*, .*?, .+, or .+?) is almost automatically wrong because it fails to disambiguate when one subpattern should end and another should begin. Among other bugs, these kind of regexes tend to be especially prone to denial of service vulnerabilities through catastrophic backtracking on strings that fail to match in a large (in this case, exponential) number of ways. Lacking a specification to say what characters should actually be allowed in these subpatterns (this syntax is too different from CommonMark to be able to precisely apply those rules), I’ve tried to make reasonable guesses and avoid changing much else. Because Zulip doesn't store messages until they have successfully been processed by the Markdown processor, this is not a stored DoS issue. In general, Zulip protects against the broad category of DoS issues in Markdown rendering via a timeout managed by another thread. However, details of Python's regular expression implementation mean that this particular issue could prevent the timeout thread from being scheduled, resulting in this being a DoS issue. This was fixed in master a few months ago as a side effect of abe2dab (#12979). Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
- Loading branch information