5797f013b3
Any regex including a match-everything subpattern (.*, .*?, .+, or
.+?) is almost automatically wrong because it fails to disambiguate
when one subpattern should end and another should begin. Among other
bugs, these kind of regexes tend to be especially prone to denial of
service vulnerabilities through catastrophic backtracking on strings
that fail to match in a large (in this case, exponential) number of
ways.
Lacking a specification to say what characters should actually be
allowed in these subpatterns (this syntax is too different from
CommonMark to be able to precisely apply those rules), I’ve tried to
make reasonable guesses and avoid changing much else.
Because Zulip doesn't store messages until they have successfully been
processed by the Markdown processor, this is not a stored DoS issue.
In general, Zulip protects against the broad category of DoS issues in
Markdown rendering via a timeout managed by another thread. However,
details of Python's regular expression implementation mean that this
particular issue could prevent the timeout thread from being
scheduled, resulting in this being a DoS issue.
This was fixed in master a few months ago as a side effect of
abe2dab88c (#12979).
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
Zulip overview
Zulip is a powerful, open source group chat application that combines the immediacy of real-time chat with the productivity benefits of threaded conversations. Zulip is used by open source projects, Fortune 500 companies, large standards bodies, and others who need a real-time chat system that allows users to easily process hundreds or thousands of messages a day. With over 500 contributors merging over 500 commits a month, Zulip is also the largest and fastest growing open source group chat project.
Getting started
Click on the appropriate link below. If nothing seems to apply, join us on the Zulip community server and tell us what's up!
You might be interested in:
-
Contributing code. Check out our guide for new contributors to get started. Zulip prides itself on maintaining a clean and well-tested codebase, and a stock of hundreds of beginner-friendly issues.
-
Contributing non-code. Report an issue, translate Zulip into your language, write for the Zulip blog, or give us feedback. We would love to hear from you, even if you're just trying the product out.
-
Supporting Zulip. Advocate for your organization to use Zulip, write a review in the mobile app stores, or upvote Zulip on product comparison sites.
-
Checking Zulip out. The best way to see Zulip in action is to drop by the Zulip community server. We also recommend reading Zulip for open source, Zulip for companies, or Zulip for working groups and part time communities.
-
Running a Zulip server. Setting up a server takes just a couple of minutes. Zulip runs on Ubuntu 18.04 Bionic, Ubuntu 16.04 Xenial, Ubuntu 14.04 Trusty, and Debian 9 Stretch. The installation process is documented here. Commercial support is available; see https://zulipchat.com/plans for details.
-
Using Zulip without setting up a server. https://zulipchat.com offers free and commercial hosting.
-
Applying for a Zulip internship. Zulip runs internship programs with Outreachy, Google Summer of Code, and the MIT Externship program. Zulip also participates in Google Code-In. More information is available here.
You may also be interested in reading our blog or following us on twitter. Zulip is distributed under the Apache 2.0 license.