rustexp icon indicating copy to clipboard operation
rustexp copied to clipboard
verified publisher icon lpil

security: bump regex to 1.5.5

Open scooter-dangle opened this issue 3 years ago • 2 comments

See https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e

Without updating, specially crafted regexes can drastically slow the user's browser, like those found here: https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e#diff-9c2f636f44f7cd30a1a5886dd0a5db50fba5ad5359abc03a055b030bdbc9d3f0R189-R194

Note: I've had trouble building locally. There might be maximum supported Rust and/or cargo-web versions?

> rustc --version
rustc 1.59.0 (9d1b2106e 2022-02-23)
> cargo web --version
cargo-web 0.6.26

scooter-dangle avatar Mar 16 '22 16:03 scooter-dangle

@lpil, no rush. Do you know when you might have time to look at this?

scooter-dangle avatar Mar 18 '22 17:03 scooter-dangle

Hi @scooter-dangle ! Thanks for this.

I made this in an afternoon a few years ago and I've not looked at it since. I couldn't tell you how to compile it any more if the existing configuration does not work.

I'm not going to be putting work into this but I will gladly accept a contribution with it compiled. I wouldn't consider this a security issue as the only way to enter a bad regex is for the user to enter it themselves, and the worst it could do is lock up a browser tab in the user's browser.

lpil avatar Mar 25 '22 18:03 lpil