replace "dot" with "set not containing whitespace"

Fixed issue in lexer in the same category as that of 🎫`366` where the regexp used to match an end tag didn't correctly organize for matching characters surrounded by whitespace, leading to high memory / interpreter hang if a closing tag incorrectly had a large amount of unterminated space in it. Credit to Sebastian Chnelik for locating the issue. As Mako templates inherently render and directly invoke arbitrary Python code from the template source, it is **never** appropriate to create templates that contain untrusted input. Fixes: #367 Change-Id: I2f3a8665e92c1b6efcf36b1dba6e58fe0975b7da
sqlalchemy · Sep 22, 2022 · 0babe1c · 0babe1c
1 parent c2f392e
commit 0babe1c
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 3 deletions.
diff --git a/doc/build/changelog.rst b/doc/build/changelog.rst
@@ -22,7 +22,12 @@ Changelog
         correctly interpret quoted sections individually. While this parsing issue
         still produced the same expected tag structure later on, the mis-handling
         of quoted sections was also subject to a regexp crash if a tag had a large
-        number of quotes within its quoted sections.
+        number of quotes within its quoted sections.  Credit to Sebastian
+        Chnelik for locating the issue.
+
+        As Mako templates inherently render and directly invoke arbitrary Python
+        code from the template source, it is **never** appropriate to create
+        templates that contain untrusted input.
 
 .. changelog::
     :version: 1.2.1

diff --git a/doc/build/unreleased/367.rst b/doc/build/unreleased/367.rst
@@ -0,0 +1,13 @@
+.. change::
+    :tags: bug, lexer
+    :tickets: 367
+
+    Fixed issue in lexer in the same category as that of :ticket:`366` where
+    the regexp used to match an end tag didn't correctly organize for matching
+    characters surrounded by whitespace, leading to high memory / interpreter
+    hang if a closing tag incorrectly had a large amount of unterminated space
+    in it. Credit to Sebastian Chnelik for locating the issue.
+
+    As Mako templates inherently render and directly invoke arbitrary Python
+    code from the template source, it is **never** appropriate to create
+    templates that contain untrusted input.
diff --git a/mako/lexer.py b/mako/lexer.py
@@ -322,7 +322,7 @@ def match_tag_start(self):
         return True
 
     def match_tag_end(self):
-        match = self.match(r"\</%[\t ]*(.+?)[\t ]*>")
+        match = self.match(r"\</%[\t ]*([^\t ]+?)[\t ]*>")
         if match:
             if not len(self.tag):
                 raise exceptions.SyntaxException(

diff --git a/test/test_lexer.py b/test/test_lexer.py
@@ -148,7 +148,13 @@ def test_noexpr_allowed(self):
         """
         assert_raises(exceptions.CompileException, Lexer(template).parse)
 
-    def test_tag_many_quotes(self):
+    def test_closing_tag_many_spaces(self):
+        """test #367"""
+        template = '<%def name="foo()"> this is a def. </%' + " " * 10000
+        assert_raises(exceptions.SyntaxException, Lexer(template).parse)
+
+    def test_opening_tag_many_quotes(self):
+        """test #366"""
         template = "<%0" + '"' * 3000
         assert_raises(exceptions.SyntaxException, Lexer(template).parse)