diff options
| author | John Perkins <john.perkins@rackspace.com> | 2014-10-06 16:24:57 -0500 |
|---|---|---|
| committer | Tristan Cacqueray <tristan.cacqueray@enovance.com> | 2014-11-19 15:23:12 +0000 |
| commit | ad6fefcb4d4068b46b69284e277df6ab2ee30105 (patch) | |
| tree | 76c576972bb615a5215f3c400728c5ae5ece8127 | |
| parent | 6c476224f62770679f779dc6c13be3879b3a5ed8 (diff) | |
| download | neutron-ad6fefcb4d4068b46b69284e277df6ab2ee30105.tar.gz | |
Fix hostname regex pattern
Current hostname_pattern regex complexity grows exponentially
when given a string of just digits, which can be exploited to
cause neutron-server to freeze.
Change-Id: I886c6d883a9cb0acd9908495eec50bf0411d8ba8
Closes-bug: #1378450
| -rw-r--r-- | neutron/api/v2/attributes.py | 4 | ||||
| -rw-r--r-- | neutron/tests/unit/test_attributes.py | 1 |
2 files changed, 3 insertions, 2 deletions
diff --git a/neutron/api/v2/attributes.py b/neutron/api/v2/attributes.py index 83471f946e..21486dbd39 100644 --- a/neutron/api/v2/attributes.py +++ b/neutron/api/v2/attributes.py @@ -540,8 +540,8 @@ def convert_to_list(data): return [data] -HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]" - "{1,63}(?<!-)\.?)+(?:[a-zA-Z]{2,})$)") +HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+.|-)[a-zA-Z0-9_\-]{1,62}" + "[a-zA-Z0-9]\.?)+(?:[a-zA-Z]{2,})$)") HEX_ELEM = '[0-9A-Fa-f]' UUID_PATTERN = '-'.join([HEX_ELEM + '{8}', HEX_ELEM + '{4}', diff --git a/neutron/tests/unit/test_attributes.py b/neutron/tests/unit/test_attributes.py index 2fb268d07a..f8cb462b3e 100644 --- a/neutron/tests/unit/test_attributes.py +++ b/neutron/tests/unit/test_attributes.py @@ -281,6 +281,7 @@ class TestAttributes(base.BaseTestCase): ['www.hostname.com', 'www.hostname.com'], ['77.hostname.com'], ['1000.0.0.1'], + ['111111111111111111111111111111111111111111111111111111111111'], # noqa None] for ns in ns_pools: |