[Docutils-checkins] SF.net SVN: docutils:[8435] trunk/docutils

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Revision: 8435
          http://sourceforge.net/p/docutils/code/8435
Author:   milde
Date:     2019-12-12 13:04:57 +0000 (Thu, 12 Dec 2019)
Log Message:
-----------
Document possible heavy ressource use when parsing untrusted input.

See bug #381.

Modified Paths:
--------------
    trunk/docutils/docs/howto/security.txt
    trunk/docutils/docutils/statemachine.py

Modified: trunk/docutils/docs/howto/security.txt
===================================================================

--- trunk/docutils/docs/howto/security.txt	2019-12-04 19:27:04 UTC (rev 8434)
+++ trunk/docutils/docs/howto/security.txt	2019-12-12 13:04:57 UTC (rev 8435)
@@ -23,7 +23,7 @@
 secure the Docutils software in your applications.
 
 Docutils does not come in a through-the-web secure state, because this
-would inconvenience ordinary users
+would inconvenience ordinary users.
 
 __ ../../FAQ.html#are-there-any-weblog-blog-projects-that-use-restructuredtext-syntax
 __ ../../FAQ.html#are-there-any-wikis-that-use-restructuredtext-syntax
@@ -66,6 +66,17 @@
 .. _raw_enabled: ../user/config.html#raw-enabled
 
 
+CPU and memory utilization
+--------------------------
+
+Parsing complex reStructuredText documents may require high processing
+ressources. This enables `Denial of Service` attacs using specially crafted
+input.
+
+It is recommended to enforce limits for the computation time and resource
+utilization of the Docutils process when processing untrusted input.
+
+
 Securing Docutils
 =================
 

Modified: trunk/docutils/docutils/statemachine.py
===================================================================
--- trunk/docutils/docutils/statemachine.py	2019-12-04 19:27:04 UTC (rev 8434)
+++ trunk/docutils/docutils/statemachine.py	2019-12-12 13:04:57 UTC (rev 8435)
@@ -1500,7 +1500,6 @@
     transition name.
     """
 
-
 def string2lines(astring, tab_width=8, convert_whitespace=False,
                  whitespace=re.compile('[\v\f]')):
     """
@@ -1518,6 +1517,8 @@
     """
     if convert_whitespace:
         astring = whitespace.sub(' ', astring)
+    # TODO: add a test for too long lines (max_line_lenght = 1000, say)?
+    # See bug #381.
     return [s.expandtabs(tab_width).rstrip() for s in astring.splitlines()]
 
 def _exception_data():

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.



