File CVE-2024-25885.patch of Package python-xhtml2pdf.18720

From de0fdbdf4224f3277419c2080ca0fd35fd5948a5 Mon Sep 17 00:00:00 2001
From: David Trupiano <davetrupiano@gmail.com>
Date: Tue, 22 Oct 2024 15:45:54 -0400
Subject: [PATCH] fix reDOS CVE in getColor function

---
 xhtml2pdf/util.py | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

Index: xhtml2pdf-0.2.4/xhtml2pdf/util.py
===================================================================
--- xhtml2pdf-0.2.4.orig/xhtml2pdf/util.py
+++ xhtml2pdf-0.2.4/xhtml2pdf/util.py
@@ -191,11 +191,17 @@ def getColor(value, default=None):
     """
     Convert to color value.
     This returns a Color object instance from a text bit.
+    Mitigation for ReDoS attack applied by limiting input length and validating input.
     """
 
     if isinstance(value, Color):
         return value
     value = str(value).strip().lower()
+
+    # Limit the length of the value to prevent excessive input causing ReDoS
+    if len(value) > 100:  # Set a reasonable length limit to avoid extreme inputs
+        return default
+
     if value == "transparent" or value == "none":
         return default
     if value in COLOR_BY_NAME:
@@ -203,10 +209,13 @@ def getColor(value, default=None):
     if value.startswith("#") and len(value) == 4:
         value = "#" + value[1] + value[1] + \
             value[2] + value[2] + value[3] + value[3]
-    elif rgb_re.search(value):
-        # e.g., value = "<css function: rgb(153, 51, 153)>", go figure:
-        r, g, b = [int(x) for x in rgb_re.search(value).groups()]
-        value = "#%02x%02x%02x" % (r, g, b)
+    elif rgb_re.match(value):
+        # Use match instead of search to ensure proper regex usage and limit to valid patterns
+        try:
+            r, g, b = [int(x) for x in rgb_re.match(value).groups()]
+            value = "#%02x%02x%02x" % (r, g, b)
+        except ValueError:
+            pass
     else:
         # Shrug
         pass