From 0babe1c6acd5b6e19ba9906251763c28b17f3b39 Mon Sep 17 00:00:00 2001 From: Mike Bayer Date: Thu, 22 Sep 2022 14:52:59 -0400 Subject: replace "dot" with "set not containing whitespace" Fixed issue in lexer in the same category as that of :ticket:`366` where the regexp used to match an end tag didn't correctly organize for matching characters surrounded by whitespace, leading to high memory / interpreter hang if a closing tag incorrectly had a large amount of unterminated space in it. Credit to Sebastian Chnelik for locating the issue. As Mako templates inherently render and directly invoke arbitrary Python code from the template source, it is **never** appropriate to create templates that contain untrusted input. Fixes: #367 Change-Id: I2f3a8665e92c1b6efcf36b1dba6e58fe0975b7da --- doc/build/changelog.rst | 7 ++++++- doc/build/unreleased/367.rst | 13 +++++++++++++ mako/lexer.py | 2 +- test/test_lexer.py | 8 +++++++- 4 files changed, 27 insertions(+), 3 deletions(-) create mode 100644 doc/build/unreleased/367.rst diff --git a/doc/build/changelog.rst b/doc/build/changelog.rst index b3f06fd..5ca49de 100644 --- a/doc/build/changelog.rst +++ b/doc/build/changelog.rst @@ -22,7 +22,12 @@ Changelog correctly interpret quoted sections individually. While this parsing issue still produced the same expected tag structure later on, the mis-handling of quoted sections was also subject to a regexp crash if a tag had a large - number of quotes within its quoted sections. + number of quotes within its quoted sections. Credit to Sebastian + Chnelik for locating the issue. + + As Mako templates inherently render and directly invoke arbitrary Python + code from the template source, it is **never** appropriate to create + templates that contain untrusted input. .. changelog:: :version: 1.2.1 diff --git a/doc/build/unreleased/367.rst b/doc/build/unreleased/367.rst new file mode 100644 index 0000000..6798e6e --- /dev/null +++ b/doc/build/unreleased/367.rst @@ -0,0 +1,13 @@ +.. change:: + :tags: bug, lexer + :tickets: 367 + + Fixed issue in lexer in the same category as that of :ticket:`366` where + the regexp used to match an end tag didn't correctly organize for matching + characters surrounded by whitespace, leading to high memory / interpreter + hang if a closing tag incorrectly had a large amount of unterminated space + in it. Credit to Sebastian Chnelik for locating the issue. + + As Mako templates inherently render and directly invoke arbitrary Python + code from the template source, it is **never** appropriate to create + templates that contain untrusted input. diff --git a/mako/lexer.py b/mako/lexer.py index 77a2483..75182f8 100644 --- a/mako/lexer.py +++ b/mako/lexer.py @@ -322,7 +322,7 @@ class Lexer: return True def match_tag_end(self): - match = self.match(r"\") + match = self.match(r"\") if match: if not len(self.tag): raise exceptions.SyntaxException( diff --git a/test/test_lexer.py b/test/test_lexer.py index a7b6fe3..f4983a3 100644 --- a/test/test_lexer.py +++ b/test/test_lexer.py @@ -148,7 +148,13 @@ class LexerTest(TemplateTest): """ assert_raises(exceptions.CompileException, Lexer(template).parse) - def test_tag_many_quotes(self): + def test_closing_tag_many_spaces(self): + """test #367""" + template = '<%def name="foo()"> this is a def.