diff options
author | Seth Morton <seth.m.morton@gmail.com> | 2020-01-27 22:37:55 -0800 |
---|---|---|
committer | Seth Morton <seth.m.morton@gmail.com> | 2020-01-27 22:49:51 -0800 |
commit | 668e4c9b45f4f2d375fdad6eba3f054acad6b7b6 (patch) | |
tree | 36752a72a9464d5e22d00228b707200e265d2b7f | |
parent | 523816512213b4bfef98dfafd29885a504a5592c (diff) | |
download | natsort-668e4c9b45f4f2d375fdad6eba3f054acad6b7b6.tar.gz |
Properly escape text injected into regex
Because I was not previously escaping text inteserted into the regex, a
"." was added instead of "\.", so it let ANYTHING pass. BAD.
-rw-r--r-- | natsort/utils.py | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/natsort/utils.py b/natsort/utils.py index 4f5ddfb..7eced63 100644 --- a/natsort/utils.py +++ b/natsort/utils.py @@ -495,13 +495,12 @@ def input_string_transform_factory(alg): if alg & ns.FLOAT: # Make a regular expression component that will ensure no # separators are removed after a decimal point. - d = get_decimal_point() - d = r"\." if d == r"." else d + d = re.escape(get_decimal_point()) nodecimal += r"(?<!" + d + r"[0-9])" nodecimal += r"(?<!" + d + r"[0-9]{2})" nodecimal += r"(?<!" + d + r"[0-9]{3})" strip_thousands = strip_thousands.format( - thou=get_thousands_sep(), nodecimal=nodecimal + thou=re.escape(get_thousands_sep()), nodecimal=nodecimal ) strip_thousands = re.compile(strip_thousands, flags=re.VERBOSE) function_chain.append(partial(strip_thousands.sub, "")) @@ -511,7 +510,7 @@ def input_string_transform_factory(alg): decimal = get_decimal_point() if alg & ns.FLOAT and decimal != ".": switch_decimal = r"(?<=[0-9]){decimal}|{decimal}(?=[0-9])" - switch_decimal = switch_decimal.format(decimal=decimal) + switch_decimal = switch_decimal.format(decimal=re.escape(decimal)) switch_decimal = re.compile(switch_decimal) function_chain.append(partial(switch_decimal.sub, ".")) |