diff options
| author | milde <milde@929543f6-e4f2-0310-98a6-ba3bd3dd1d04> | 2019-12-12 13:04:57 +0000 |
|---|---|---|
| committer | milde <milde@929543f6-e4f2-0310-98a6-ba3bd3dd1d04> | 2019-12-12 13:04:57 +0000 |
| commit | 9ce43ce62b9fe9ec4f51404ef8917f39af3a4aa2 (patch) | |
| tree | 407f8f2636ca42424a8212d0a304b1cb8f2e8fed /docutils | |
| parent | ea3ba80cb3a17a9ca2c6ed7f0a64cb9f36f24bb8 (diff) | |
| download | docutils-9ce43ce62b9fe9ec4f51404ef8917f39af3a4aa2.tar.gz | |
Document possible heavy ressource use when parsing untrusted input.
See bug #381.
git-svn-id: http://svn.code.sf.net/p/docutils/code/trunk@8435 929543f6-e4f2-0310-98a6-ba3bd3dd1d04
Diffstat (limited to 'docutils')
| -rw-r--r-- | docutils/docs/howto/security.txt | 13 | ||||
| -rw-r--r-- | docutils/docutils/statemachine.py | 3 |
2 files changed, 14 insertions, 2 deletions
diff --git a/docutils/docs/howto/security.txt b/docutils/docs/howto/security.txt index 104173e63..0fc349167 100644 --- a/docutils/docs/howto/security.txt +++ b/docutils/docs/howto/security.txt @@ -23,7 +23,7 @@ have been addressed. This document provides instructions to help you secure the Docutils software in your applications. Docutils does not come in a through-the-web secure state, because this -would inconvenience ordinary users +would inconvenience ordinary users. __ ../../FAQ.html#are-there-any-weblog-blog-projects-that-use-restructuredtext-syntax __ ../../FAQ.html#are-there-any-wikis-that-use-restructuredtext-syntax @@ -66,6 +66,17 @@ be disabled by setting "raw_enabled_" to 0/false. .. _raw_enabled: ../user/config.html#raw-enabled +CPU and memory utilization +-------------------------- + +Parsing complex reStructuredText documents may require high processing +ressources. This enables `Denial of Service` attacs using specially crafted +input. + +It is recommended to enforce limits for the computation time and resource +utilization of the Docutils process when processing untrusted input. + + Securing Docutils ================= diff --git a/docutils/docutils/statemachine.py b/docutils/docutils/statemachine.py index ec5351887..a30044759 100644 --- a/docutils/docutils/statemachine.py +++ b/docutils/docutils/statemachine.py @@ -1500,7 +1500,6 @@ class StateCorrection(Exception): transition name. """ - def string2lines(astring, tab_width=8, convert_whitespace=False, whitespace=re.compile('[\v\f]')): """ @@ -1518,6 +1517,8 @@ def string2lines(astring, tab_width=8, convert_whitespace=False, """ if convert_whitespace: astring = whitespace.sub(' ', astring) + # TODO: add a test for too long lines (max_line_lenght = 1000, say)? + # See bug #381. return [s.expandtabs(tab_width).rstrip() for s in astring.splitlines()] def _exception_data(): |