gh-146333: Fix quadratic regex backtracking in configparser option parsing#146399
Merged
encukou merged 2 commits intopython:mainfrom Apr 7, 2026
Merged
Conversation
|
All commit authors signed the Contributor License Agreement. |
joshuaswanson
force-pushed
the
fix/configparser-regex-backtracking
branch
from
12c55b1 to
fe7efda
Compare
| # Compiled regular expression for matching sections | ||
| SECTCRE = re.compile(_SECT_TMPL, re.VERBOSE) | ||
| # Compiled regular expression for matching options with typical separators | ||
| OPTCRE = re.compile(_OPT_TMPL.format(delim="=|:"), re.VERBOSE) |
Member
There was a problem hiding this comment.
This is safe because the option name is already stripped via .rstrip() in _handle_option (line 1160), and the value is stripped via .strip() (line 1169).
The regexes are publicly exposed, this breaks it for people who use them directly.
joshuaswanson
force-pushed
the
fix/configparser-regex-backtracking
branch
from
fe7efda to
85407ee
Compare
Contributor
Author
|
Good point, thanks. Updated to keep the regexes unchanged. Instead, |
Member
|
Overriding Would it work to add negative lookahead, @joshuaswanson, please don't force-push to CPython PR branches -- it makes the changes a little harder to follow for reviewers, and every PR gets squashed anyway. |
Contributor
Author
|
Won't force-push again, sorry about that. The simple The fix restructures the option group to |
Member
|
This looks good, thank you! |
Member
|
The issue was tagged with "security". Should we backport this change to all supported Python versions (3.10-3.14)? |
encukou
added
needs backport to 3.10
|
Thanks @joshuaswanson for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10. |
Member
|
Yes. |
|
Thanks @joshuaswanson for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.11. |
|
Thanks @joshuaswanson for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.12. |
|
Thanks @joshuaswanson for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13. |
|
Thanks @joshuaswanson for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.14. |
|
Sorry, @joshuaswanson and @encukou, I could not cleanly backport this to |
|
Sorry, @joshuaswanson and @encukou, I could not cleanly backport this to |
|
Sorry, @joshuaswanson and @encukou, I could not cleanly backport this to |
|
Sorry, @joshuaswanson and @encukou, I could not cleanly backport this to |
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this pull request
Apr 9, 2026
…ion parsing (pythonGH-146399) Use negative lookahead in option regex to prevent backtracking, and to avoid changing logic outside the regexes (since people could use the regex directly). (cherry picked from commit 7e0a0be) Co-authored-by: Joshua Swanson <22283299+joshuaswanson@users.noreply.github.com>
|
GH-148287 is a backport of this pull request to the 3.14 branch. |
| parser = configparser.RawConfigParser() | ||
| content = "[section]\n" + "x" + " " * 40000 + "y" + "\n" | ||
| # This should complete almost instantly. Before the fix, | ||
| # it would take over a minute due to catastrophic backtracking. |
Member
There was a problem hiding this comment.
On my system it takes ~8 seconds, I suggest increasing it in backports to a larger number of whitespace, as 8 seconds is short enough that it could be missed.
Member
There was a problem hiding this comment.
A minute could be missed as well :/
I'm afraid this is fuzzer material; our tests can't quite do time complexity checking.
gpshead
pushed a commit
that referenced
this pull request
Apr 12, 2026
…tion parsing (GH-146399) (#148287) gh-146333: Fix quadratic regex backtracking in configparser option parsing (GH-146399) Use negative lookahead in option regex to prevent backtracking, and to avoid changing logic outside the regexes (since people could use the regex directly). (cherry picked from commit 7e0a0be) Co-authored-by: Joshua Swanson <22283299+joshuaswanson@users.noreply.github.com>
|
GH-148559 is a backport of this pull request to the 3.13 branch. |
encukou
pushed a commit
to encukou/cpython
that referenced
this pull request
Apr 14, 2026
…ser option parsing (pythonGH-146399) Use negative lookahead in option regex to prevent backtracking, and to avoid changing logic outside the regexes (since people could use the regex directly). (cherry picked from commit 7e0a0be) Co-authored-by: Joshua Swanson <22283299+joshuaswanson@users.noreply.github.com>
encukou
added a commit
that referenced
this pull request
Apr 15, 2026
…tion parsing (GH-146399) (GH-148559) Use negative lookahead in option regex to prevent backtracking, and to avoid changing logic outside the regexes (since people could use the regex directly). (cherry picked from commit 7e0a0be) Co-authored-by: Joshua Swanson <22283299+joshuaswanson@users.noreply.github.com>
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
_OPT_TMPLand_OPT_NV_TMPLregexes have quadratic backtracking when a line contains many spaces between non-delimiter characters. The lazy.*?in the option group and the\s*before the delimiter overlap on whitespace, so the engine tries every possible split point.The fix removes
\s*before the delimiter. This is safe because the option name is already stripped via.rstrip()in_handle_option(line 1160), and the value is stripped via.strip()(line 1169).Before:
x+ 40000 spaces +ytakes ~86 secondsAfter: ~0.004 seconds
configparser.RawConfigParser.{OPTCRE,OPTCRE_NV}regexes vulnerable to quadratic backtracking #146333