[3.9] bpo-46474: Avoid REDoS in EntryPoint.pattern (sync with importlib_metadata 4.10.1) (GH-30803). (GH-30828)

jaraco · web-flow · commit 1514d1252f96 · 2022-01-23T10:17:41.000-05:00
(cherry picked from commit 51c3e28) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
diff --git a/Lib/importlib/metadata.py b/Lib/importlib/metadata.py
@@ -49,8 +49,8 @@ class EntryPoint(
 
     pattern = re.compile(
         r'(?P<module>[\w.]+)\s*'
-        r'(:\s*(?P<attr>[\w.]+))?\s*'
-        r'(?P<extras>\[.*\])?\s*$'
+        r'(:\s*(?P<attr>[\w.]+)\s*)?'
+        r'((?P<extras>\[.*\])\s*)?$'
         )
     """
     A regular expression describing the syntax for an entry point,
diff --git a/Misc/NEWS.d/next/Library/2022-01-22-14-49-10.bpo-46474.eKQhvx.rst b/Misc/NEWS.d/next/Library/2022-01-22-14-49-10.bpo-46474.eKQhvx.rst
@@ -0,0 +1,2 @@
+In ``importlib.metadata.EntryPoint.pattern``, avoid potential REDoS by
+limiting ambiguity in consecutive whitespace.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+In ``importlib.metadata.EntryPoint.pattern``, avoid potential REDoS by
	`2`	`+limiting ambiguity in consecutive whitespace.`