Page MenuHomePhabricator

0001-SECURITY-Disable-various-lexers-because-of-DoS-attac.patch

Authored By
Legoktm
Mar 23 2021, 1:55 AM
Size
2 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Disable-various-lexers-because-of-DoS-attac.patch

From 58bf2ac2bbab8998063a3c335e5c2fe89497f4db Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@member.fsf.org>
Date: Wed, 10 Mar 2021 10:24:23 -0800
Subject: [PATCH] SECURITY: Disable various lexers because of DoS attacks
It is possible to trigger an infinite loop in "sml", causing a
DoS (CVE-2021-20270).
In "adl", "cadl", "odin", "ceylon", "evoque", "factor", "logos", "matlab"
and "vcl" it is possible to trigger a regex DoS (CVE-2021-27291).
SyntaxHighlight will fall back to displaying the code as <pre> formatted
text instead.
Bug: T276843
Change-Id: Iecdcc98d9d2eb838c7192171bca34d79f031213c
---
SyntaxHighlight.lexers.php | 36 +++++++++++++++++++++++-------------
1 file changed, 23 insertions(+), 13 deletions(-)
diff --git a/SyntaxHighlight.lexers.php b/SyntaxHighlight.lexers.php
index f64672e..968dd72 100644
--- a/SyntaxHighlight.lexers.php
+++ b/SyntaxHighlight.lexers.php
@@ -11,7 +11,8 @@ return [
'ada',
'ada2005',
'ada95',
- 'adl',
+ // Disabled because of CVE-2021-27291
+ // 'adl',
'agda',
'aheui',
'ahk',
@@ -80,12 +81,14 @@ return [
'c++-objdumb',
'c-objdump',
'ca65',
- 'cadl',
+ // Disabled because of CVE-2021-27291
+ // 'cadl',
'camkes',
'capdl',
'capnp',
'cbmbas',
- 'ceylon',
+ // Disabled because of CVE-2021-27291
+ // 'ceylon',
'cf3',
'cfc',
'cfengine3',
@@ -193,12 +196,14 @@ return [
'erb',
'erl',
'erlang',
- 'evoque',
+ // Disabled because of CVE-2021-27291
+ // 'evoque',
'ex',
'exs',
'extempore',
'ezhil',
- 'factor',
+ // Disabled because of CVE-2021-27291
+ // 'factor',
'fan',
'fancy',
'felix',
@@ -366,7 +371,8 @@ return [
'live-script',
'livescript',
'llvm',
- 'logos',
+ // Disabled because of CVE-2021-27291
+ // 'logos',
'logtalk',
'lsl',
'lua',
@@ -379,8 +385,9 @@ return [
'mask',
'mason',
'mathematica',
- 'matlab',
- 'matlabsession',
+ // Disabled because of CVE-2021-27291
+ // 'matlab',
+ // 'matlabsession',
'mawk',
'md',
'menuconfig',
@@ -447,7 +454,8 @@ return [
'objj',
'ocaml',
'octave',
- 'odin',
+ // Disabled because of CVE-2021-27291
+ // 'odin',
'ooc',
'opa',
'openbugs',
@@ -572,7 +580,8 @@ return [
'smali',
'smalltalk',
'smarty',
- 'sml',
+ // Disabled because of CVE-2021-20270
+ // 'sml',
'snobol',
'snowball',
'sources.list',
@@ -631,9 +640,10 @@ return [
'vapi',
'vb.net',
'vbnet',
- 'vcl',
- 'vclsnippet',
- 'vclsnippets',
+ // Disabled because of CVE-2021-27291
+ // 'vcl',
+ // 'vclsnippet',
+ // 'vclsnippets',
'vctreestatus',
'velocity',
'verilog',
--
2.30.2

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8931990
Default Alt Text
0001-SECURITY-Disable-various-lexers-because-of-DoS-attac.patch (2 KB)

Event Timeline