diff options
author | Matthäus G. Chajdas <dev@anteru.net> | 2022-08-20 21:14:47 +0200 |
---|---|---|
committer | Matthäus G. Chajdas <dev@anteru.net> | 2022-08-20 21:14:47 +0200 |
commit | 8a528f999462dca75806e37a8543c5fcaad8aef9 (patch) | |
tree | 4293a1165ac6555ec6436a4b3bbd9250e6edd8ae | |
parent | a60ed3d256a53875087e07b3557c5c766089bdbb (diff) | |
download | pygments-git-8a528f999462dca75806e37a8543c5fcaad8aef9.tar.gz |
More documentation fixes.
* Copy the security paragraph to security.rst
* Fix missing maintainer in docs/index.rst
* Fix incorrect emphasis markup
-rw-r--r-- | README.rst | 4 | ||||
-rw-r--r-- | doc/docs/index.rst | 1 | ||||
-rw-r--r-- | doc/docs/security.rst | 31 | ||||
-rw-r--r-- | doc/index.rst | 3 |
4 files changed, 35 insertions, 4 deletions
@@ -69,10 +69,10 @@ but we will never be able to eliminate all bugs in this area. Our recommendations are: -* Ensure that the Pygments process is _terminated_ after a reasonably short +* Ensure that the Pygments process is *terminated* after a reasonably short timeout. In general Pygments should take seconds at most for reasonably-sized input. -* _Limit_ the number of concurrent Pygments processes to avoid oversubscription +* *Limit* the number of concurrent Pygments processes to avoid oversubscription of resources. The Pygments authors will treat any bug resulting in long processing times with diff --git a/doc/docs/index.rst b/doc/docs/index.rst index 6910913e..d35fe6f0 100644 --- a/doc/docs/index.rst +++ b/doc/docs/index.rst @@ -58,6 +58,7 @@ Pygments documentation changelog authors + security If you find bugs or have suggestions for the documentation, please submit them on `GitHub <https://github.com/pygments/pygments>`_. diff --git a/doc/docs/security.rst b/doc/docs/security.rst new file mode 100644 index 00000000..72f2d05d --- /dev/null +++ b/doc/docs/security.rst @@ -0,0 +1,31 @@ +Security considerations +----------------------- + +Pygments provides no guarantees on execution time, which needs to be taken +into consideration when using Pygments to process arbitrary user inputs. For +example, if you have a web service which uses Pygments for highlighting, there +may be inputs which will cause the Pygments process to run "forever" and/or use +significant amounts of memory. This can subsequently be used to perform a +remote denial-of-service attack on the server if the processes are not +terminated quickly. + +Unfortunately, it's practically impossible to harden Pygments itself against +those issues: Some regular expressions can result in "catastrophic +backtracking", but other bugs like incorrect matchers can also +cause similar problems, and there is no way to find them in an automated fashion +(short of solving the halting problem.) Pygments has extensive unit tests, +automated randomized testing, and is also tested by `OSS-Fuzz <https://github.com/google/oss-fuzz/tree/master/projects/pygments>`_, +but we will never be able to eliminate all bugs in this area. + +Our recommendations are: + +* Ensure that the Pygments process is *terminated* after a reasonably short + timeout. In general Pygments should take seconds at most for reasonably-sized + input. +* *Limit* the number of concurrent Pygments processes to avoid oversubscription + of resources. + +The Pygments authors will treat any bug resulting in long processing times with +high priority -- it's one of those things that will be fixed in a patch release. +When reporting a bug where you suspect super-linear execution times, please make +sure to attach an input to reproduce it.
\ No newline at end of file diff --git a/doc/index.rst b/doc/index.rst index 7b1636d5..dbd15968 100644 --- a/doc/index.rst +++ b/doc/index.rst @@ -35,8 +35,7 @@ below. The authors ----------- -Pygments is maintained by **Georg Brandl**, e-mail address *georg*\ *@*\ *python.org* -and **Matthäus Chajdas**. +Pygments is maintained by **Georg Brandl**, e-mail address *georg*\ *@*\ *python.org*, **Matthäus Chajdas** and **Jean Abou-Samra**. Many lexers and fixes have been contributed by **Armin Ronacher**, the rest of the `Pocoo <https://dev.pocoo.org/>`_ team and **Tim Hatch**. |