diff options
author | Matthäus G. Chajdas <dev@anteru.net> | 2022-08-20 20:51:31 +0200 |
---|---|---|
committer | Matthäus G. Chajdas <dev@anteru.net> | 2022-08-20 20:51:31 +0200 |
commit | 8b66725e0fe9a39d47b5c4ac4736088ecd9b5e32 (patch) | |
tree | defa2ef2dfeaaf9222f495bf8af75faa64f9c304 | |
parent | 4d723136a437422225d5f9ed83538e9ca3cf5196 (diff) | |
download | pygments-git-8b66725e0fe9a39d47b5c4ac4736088ecd9b5e32.tar.gz |
Improve wording.
-rw-r--r-- | README.rst | 11 |
1 files changed, 6 insertions, 5 deletions
@@ -51,7 +51,7 @@ Contribution guidelines are found in Contributing.md_. Security considerations ----------------------- -Pygments provides no guarantees on the execution time, which needs to be taken +Pygments provides no guarantees on execution time, which needs to be taken into consideration when using Pygments to process arbitrary user inputs. For example, if you have a web service which uses Pygments for highlighting, there may be inputs which will cause the Pygments process to run "forever" and/or use @@ -60,11 +60,12 @@ remote denial-of-service attack on the server if the processes are not terminated quickly. Unfortunately, it's practically impossible to harden Pygments itself against -those effects: Some regular expressions can result in "catastrophic +those issues: Some regular expressions can result in "catastrophic backtracking", but other bugs like incorrect matchers can also -cause similar issues, and there is no way to find them in an automated fashion -(short of solving the halting problem.) Pygments has extensive unit tests, automated randomized testing, and is also tested by `OSS-Fuzz <https://github.com/google/oss-fuzz/tree/master/projects/pygments>`_, but we will never be -able to eliminate all bugs in this area. +cause similar problems, and there is no way to find them in an automated fashion +(short of solving the halting problem.) Pygments has extensive unit tests, +automated randomized testing, and is also tested by `OSS-Fuzz <https://github.com/google/oss-fuzz/tree/master/projects/pygments>`_, +but we will never be able to eliminate all bugs in this area. Our recommendations are: |