The following regular expression used in the "o" formatter is vulnerable to ReDoS:
/\s*\n\s*/
The slowdown is moderately low: for 50.000 characters around 2 seconds matching time. However, I would still suggest one of the following:
If needed, I can provide an actual example showing the slowdown.
Thanks for the report. Patch welcome! The %o formatter by design needs to remove the newlines but any performance optimizations are 鉂わ笍 馃憤
@TooTallNate As far as I can tell no security patch for this issue has yet been released for 3.x, is this in the works? Thanks!
@fadookie Yes correct, thanks for the nudge. v3.1.0 has now been published.
Hello,
My name is Yaniv Nizry I鈥檓 an Application Security Researcher from CxSCA group at Checkmarx,
after looking into this issue we noticed that it might not have been resolved.
For more information please contact us at:
[email protected]
Thanks,
Yaniv
@yaniv-checkmarx Hi. Feel free to submit a report to me at josh.[email protected] if you think you've found a security issue with debug. Please be sure to specify _exactly_ which versions and/or version ranges you think the vulnerability pertains to.
Thanks.
@Qix- Hi, I sent you on September 14th the email, don't know if you got it.
Are there any updates?
Hi @yaniv-checkmarx, I've been focused on other things the last few weeks. Apologies. I'll take a look within the next week to see if I can validate.
@Qix- pinging you on this issue :)
Confirmed, regressed in 6ab9525c9841b656d996e521cf86192d5647483a a long while ago.
Will push a fix, thank you for the report @yaniv-checkmarx @Eden-checkmarx. Apologies for the delay until now.
Most helpful comment
Confirmed, regressed in
6ab9525c9841b656d996e521cf86192d5647483aa long while ago.Will push a fix, thank you for the report @yaniv-checkmarx @Eden-checkmarx. Apologies for the delay until now.