svnwc: fix regular expression vulnerable to DoS in blame functionality

The subpattern `\d+\s*\S+` is ambiguous which makes the pattern subject to catastrophic backtracing given a string like `"1" * 5000`. SVN blame output seems to always have at least one space between the revision number and the user name, so the ambiguity can be fixed by changing the `*` to `+`. Fixes pytest-dev#256.
bluetech · Sep 4, 2020 · 4a9017d · 4a9017d
1 parent 2da2cae
commit 4a9017d
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/py/_path/svnwc.py b/py/_path/svnwc.py
@@ -396,7 +396,7 @@ def makecmdoptions(self):
     def __str__(self):
         return "<SvnAuth username=%s ...>" %(self.username,)
 
-rex_blame = re.compile(r'\s*(\d+)\s*(\S+) (.*)')
+rex_blame = re.compile(r'\s*(\d+)\s+(\S+) (.*)')
 
 class SvnWCCommandPath(common.PathBase):
     """ path implementation offering access/modification to svn working copies.