-
Notifications
You must be signed in to change notification settings - Fork 10
Closed
Description
The following regular expression used for parsing the HTTP header is vulnerable to ReDoS:
/(?:charset|encoding)\s*=\s*['"]? *([\w\-]+)/i
The slowdown is moderate: for 30.000 characters around 4 seconds matching time. I would suggest one of the following:
- remove the regex,
- anchor the regex,
- limit the number of characters that can be matched by the repetition,
- limit the input size.
If needed, I can provide an actual example showing the slowdown.
Metadata
Metadata
Assignees
Labels
No labels