File CVE-2020-29651.patch of Package python-py

From 4a9017dc6199d2a564b6e4b0aa39d6d8870e4144 Mon Sep 17 00:00:00 2001
From: Ran Benita <ran@unusedvar.com>
Date: Fri, 4 Sep 2020 13:57:26 +0300
Subject: [PATCH] svnwc: fix regular expression vulnerable to DoS in blame
 functionality

The subpattern `\d+\s*\S+` is ambiguous which makes the pattern subject
to catastrophic backtracing given a string like `"1" * 5000`.

SVN blame output seems to always have at least one space between the
revision number and the user name, so the ambiguity can be fixed by
changing the `*` to `+`.

Fixes #256.
---
 py/_path/svnwc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/py/_path/svnwc.py b/py/_path/svnwc.py
index 3138dd85..b5b9d8d5 100644
--- a/py/_path/svnwc.py
+++ b/py/_path/svnwc.py
@@ -396,7 +396,7 @@ def makecmdoptions(self):
     def __str__(self):
         return "<SvnAuth username=%s ...>" %(self.username,)
 
-rex_blame = re.compile(r'\s*(\d+)\s*(\S+) (.*)')
+rex_blame = re.compile(r'\s*(\d+)\s+(\S+) (.*)')
 
 class SvnWCCommandPath(common.PathBase):
     """ path implementation offering access/modification to svn working copies.