Fixed potential DoS attack via WHEEL_INFO_RE

agronholm · agronholm · commit 88f02bc335d5 · 2022-10-20T17:13:33.000+03:00
diff --git a/docs/news.rst b/docs/news.rst
@@ -9,6 +9,7 @@ Release Notes
 - The handling of ``license_files`` (including glob patterns and default
   values) is now delegated to ``setuptools>=57.0.0`` (#466).
   The package dependencies were updated to reflect this change.
+- Fixed potential DoS attack via the ``WHEEL_INFO_RE`` regular expression
 
 **0.37.1 (2021-12-22)**
 
diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py
@@ -16,8 +16,8 @@
 # Non-greedy matching of an optional build number may be too clever (more
 # invalid wheel filenames will match). Separate regex for .dist-info?
 WHEEL_INFO_RE = re.compile(
-    r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))?
-     -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""",
+    r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))?
+     -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""",
     re.VERBOSE,
 )
 
