File CVE-2022-40899.patch of Package python-future.27329

Index: future-0.16.0/src/future/backports/http/cookiejar.py
===================================================================
--- future-0.16.0.orig/src/future/backports/http/cookiejar.py
+++ future-0.16.0/src/future/backports/http/cookiejar.py
@@ -224,10 +224,14 @@ LOOSE_HTTP_DATE_RE = re.compile(
        (?::(\d\d))?    # optional seconds
     )?                 # optional clock
        \s*
-    ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone
+    (?:
+       ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone
        \s*
-    (?:\(\w+\))?       # ASCII representation of timezone in parens.
-       \s*$""", re.X | re.ASCII)
+    )?
+    (?:
+       \(\w+\)         # ASCII representation of timezone in parens.
+       \s*
+    )?$""", re.X | re.ASCII)
 def http2time(text):
     """Returns time in seconds since epoch of time represented by a string.
 
@@ -297,9 +301,11 @@ ISO_DATE_RE = re.compile(
       (?::?(\d\d(?:\.\d*)?))?  # optional seconds (and fractional)
    )?                    # optional clock
       \s*
-   ([-+]?\d\d?:?(:?\d\d)?
-    |Z|z)?               # timezone  (Z is "zero meridian", i.e. GMT)
-      \s*$""", re.X | re. ASCII)
+   (?:
+      ([-+]?\d\d?:?(:?\d\d)?
+       |Z|z)             # timezone  (Z is "zero meridian", i.e. GMT)
+      \s*
+   )?$""", re.X | re. ASCII)
 def iso2time(text):
     """
     As for http2time, but parses the ISO 8601 formats:
Index: future-0.16.0/tests/test_future/test_http_cookiejar.py
===================================================================
--- future-0.16.0.orig/tests/test_future/test_http_cookiejar.py
+++ future-0.16.0/tests/test_future/test_http_cookiejar.py
@@ -103,6 +103,14 @@ class DateTimeTests(unittest.TestCase):
                               "http2time(%s) is not None\n"
                               "http2time(test) %s" % (test, http2time(test)))
 
+    def test_http2time_redos_regression_actually_completes(self):
+        # LOOSE_HTTP_DATE_RE was vulnerable to malicious input which caused
+        # catastrophic backtracking (REDoS). If we regress to cubic complexity,
+        # this test will take a very long time to succeed. If fixed, it should
+        # complete within a fraction of a second.
+        http2time("01 Jan 1970{}00:00:00 GMT!".format(" " * 10 ** 5))
+        http2time("01 Jan 1970 00:00:00{}GMT!".format(" " * 10 ** 5))
+
     def test_iso2time(self):
         def parse_date(text):
             return time.gmtime(iso2time(text))[:6]
@@ -162,6 +170,13 @@ class DateTimeTests(unittest.TestCase):
                               "iso2time(%s) is not None\n"
                               "iso2time(test) %s" % (test, iso2time(test)))
 
+    def test_iso2time_performance_regression(self):
+        # If ISO_DATE_RE regresses to quadratic complexity, this test will take
+        # a very long time to succeed. If fixed, it should complete within a
+        # fraction of a second.
+        iso2time('1994-02-03{}14:15:29 -0100!'.format(' '*10**6))
+        iso2time('1994-02-03 14:15:29{}-0100!'.format(' '*10**6))
+
 
 class HeaderTests(unittest.TestCase):