This can be avoided by not using `dparse` or by using the `--no-dparse` command line option. The last option has been tested with the `--no-dparse` option and dparse still parses the file.
If you are using `dparse` in an automated process, you might want to consider using another parsing tool such as `sphinx` or `jinja2.`
CVE-2022-39281
This can be avoided by not using `dparse` or by using the `--no-dparse` command line option. The last option has been tested with the `--no-dparse` option and dparse still parses the file.
If you are using `dparse` in an automated process, you might want to consider using another parsing tool such as `sphinx` or `jinja2.`
This bug only affects clients of MSVC 2014, 2015, and 2016 that use dparse for parsing, because those versions have a bug with parse errors on long strings that is fixed in later versions of MSVC.
CVE-2023-39281
The first argument to `parse_tree()` is either the name of a module, or the path to a package with a default namespace.
So, if you are using `dparse`, be aware that it can parse files in both directories.
Timeline
Published on: 10/06/2022 18:16:00 UTC
Last modified on: 10/11/2022 05:15:00 UTC
References
- https://github.com/pyupio/dparse/commit/8c990170bbd6c0cf212f1151e9025486556062d5
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://github.com/pyupio/dparse/commit/d87364f9db9ab916451b1b036cfeb039e726e614
- https://github.com/pyupio/dparse/security/advisories/GHSA-8fg9-p83m-x5pq
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39280