This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-net.git
commit f6717be6a4fade0de09f5ad9c509bb69b9867cb7
Author: Gary Gregory <garydgreg...@gmail.com>
AuthorDate: Fri Feb 23 14:17:32 2024 -0500
Guard against polynomial regular expression used on uncontrolled data in
VMSVersioningFTPEntryParser
---
src/changes/changes.xml | 1 +
.../commons/net/ftp/parser/VMSVersioningFTPEntryParser.java | 8 +++++++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 96aa4c7d..6cfc97e8 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -67,6 +67,7 @@ The <action> type attribute can be add,update,fix,remove.
<release version="3.11.0" date="202Y-MM-DD" description="Maintenance and
bug fix release (Java 8 or above).">
<!-- FIX -->
<action type="fix" dev="ggregory" due-to="Gary Gregory">Precompile
regular expression in UnixFTPEntryParser.preParse(List<String>).</action>
+ <action type="fix" dev="ggregory" due-to="Gary Gregory">Guard against
polynomial regular expression used on uncontrolled data in
VMSVersioningFTPEntryParser.</action>
<!-- ADD -->
<action type="add" issue="NET-726" dev="ggregory" due-to="PJ Fanning,
Gary Gregory">Add protected getters to FTPSClient #204.</action>
<action type="add" dev="ggregory" due-to="Gary Gregory">Add
SubnetUtils.toString().</action>
diff --git
a/src/main/java/org/apache/commons/net/ftp/parser/VMSVersioningFTPEntryParser.java
b/src/main/java/org/apache/commons/net/ftp/parser/VMSVersioningFTPEntryParser.java
index 5f763516..a74eac26 100644
---
a/src/main/java/org/apache/commons/net/ftp/parser/VMSVersioningFTPEntryParser.java
+++
b/src/main/java/org/apache/commons/net/ftp/parser/VMSVersioningFTPEntryParser.java
@@ -43,7 +43,13 @@ import org.apache.commons.net.ftp.FTPClientConfig;
*/
public class VMSVersioningFTPEntryParser extends VMSFTPEntryParser {
- private static final String REGEX = "(.*?);([0-9]+)\\s*.*";
+ /**
+ * Guard against polynomial regular expression used on uncontrolled data.
+ * Don't look for more than 20 digits for the version.
+ * Don't look for more than 80 spaces after the version.
+ * Don't look for more than 80 characters after the spaces.
+ */
+ private static final String REGEX = "(.*?);([0-9]{1,20})\\s{0,80}.{0,80}";
private static final Pattern PATTERN = Pattern.compile(REGEX);
/**
