search

pallets / werkzeug

The comprehensive WSGI web application library.
https://werkzeug.palletsprojects.com
BSD 3-Clause "New" or "Revised" License
6.63k stars 1.73k forks source link

Update HTTP parse_options_headers method to avoid using regex for options matching #2907

Closed aneshujevic closed 3 weeks ago

aneshujevic commented 3 months ago

When parsing certain Content-Type headers http parser would take too much time because of exhaustive regex matching.

Instead of using regex matching for parsing options we're using FSM (similar to one used in Django, actually the main idea of it was taken from there), so the performance is much better and the exhaustive regex matching is avoided, this way we won't have performance issues when someone tries something like ReDoS on options headers.

fixes #2904

Please take a look at the PR so we can fix the issue, thanks!

Also wanted to thank you for one of the best and most comprehensive test suites I've seen. It eased the development a lot, so thank you once more!

davidism commented 3 months ago

Thank you, I may not have time until after PyCon to review this, but I will get to it.

davidism commented 3 weeks ago

After reviewing this PR and my previous refactoring work on this function, I decided to go with a different implementation in #2939. Thanks for working on this!