Skip to content

Commit

Permalink
fix: CSV-2024-22640 (#712)
Browse files Browse the repository at this point in the history
Add possessive quantifiers to the regex to prevent catastrophic backtracking.
  • Loading branch information
josh-gaby authored Apr 20, 2024
1 parent d4adef4 commit 05f3a28
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion include/tcpdf_colors.php
Original file line number Diff line number Diff line change
Expand Up @@ -275,7 +275,7 @@ public static function convertHTMLColorToDec($hcolor, &$spotc, $defcol=array('R'
$color = strtolower($color);
// check for javascript color array syntax
if (strpos($color, '[') !== false) {
if (preg_match('/[\[][\"\'](t|g|rgb|cmyk)[\"\'][\,]?([0-9\.]*)[\,]?([0-9\.]*)[\,]?([0-9\.]*)[\,]?([0-9\.]*)[\]]/', $color, $m) > 0) {
if (preg_match('/[\[][\"\'](t|g|rgb|cmyk)[\"\'][\,]?([0-9\.]*+)[\,]?([0-9\.]*+)[\,]?([0-9\.]*+)[\,]?([0-9\.]*+)[\]]/', $color, $m) > 0) {
$returncolor = array();
switch ($m[1]) {
case 'cmyk': {
Expand Down

4 comments on commit 05f3a28

@powtac
Copy link

@powtac powtac commented on 05f3a28 Jun 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@josh-gaby may I ask how this + quantifiers help to prevent the issue or why the * is not replaced by the + then?

@josh-gaby
Copy link
Contributor Author

@josh-gaby josh-gaby commented on 05f3a28 Jun 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@powtac The * matches between zero and unlimited times and is greedy, it matches us much as possible and gives back as needed when no matches are found which is what causes the backtracking issue in the CVE.
Replacing the * with a + would result in the query matching between one and unlimited times (required rather than optional), however changing the * to *+ makes it possesive rather than greedy and prevents the backtracking.

@powtac
Copy link

@powtac powtac commented on 05f3a28 Jun 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@josh-gaby thank you for the detailed explanation. I was not aware of the different quantifier strategy when combining * and +.

@josh-gaby
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem, it can also be used to modify the standard + quantifier too, ++ is the posessive quantifier used to match between one and unlimited times.

Please sign in to comment.