> reproduce and confirm the issue (ideally for multiple versions but it should be anything with that regex in it) I can confirm the PoC on python 3.8.1 with bleach 3.1.3, 3.1.2, 3.1.1, 3.1.0, 3.0.0, 2.1.4, 2.1.3 and didn't check earlier versions. [git blame](https://github.com/mozilla/bleach/blame/v3.1.3/bleach/sanitizer.py#L596) shows we landed the current regex with: https://github.com/mozilla/bleach/pull/434 14 months ago and I [released it with 3.1.3 this week](https://github.com/mozilla/bleach/compare/v3.1.2...v3.1.3). I also see I included an incomplete changelog with the 3.1.3 release. Looking at older versions we used the following for the gauntlet regex: * `^([/:,#%.\s!\w]|\w-\w|'[\s\w]+'\s*|"[\s\w]+"|\([\d,%\.\s]+\))*$` w/ `re.U` [in 3.1.3](https://github.com/mozilla/bleach/blame/v3.1.3/bleach/sanitizer.py#L596) * `^([-/:,#%.'"\sa-zA-Z0-9!]|\w-\w|'[\s\w]+'\s*|"[\s\w]+"|\([\d,%\.\s]+\))*$` [from 2.0](https://github.com/mozilla/bleach/blame/v2.0/bleach/sanitizer.py#L347) [to 3.1.2](https://github.com/mozilla/bleach/blame/v3.1.2/bleach/sanitizer.py#L596), and before that it was split over two lines at least [from 1.4](https://github.com/mozilla/bleach/blame/v1.4/bleach/sanitizer.py#L115-L116) [to 1.5](https://github.com/mozilla/bleach/blame/v1.5/bleach/sanitizer.py#L115-L116) all of which include vulnerable patterns so I'll hazard that all versions are impacted.
Bug 1623633 Comment 6 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
> reproduce and confirm the issue (ideally for multiple versions but it should be anything with that regex in it) I can confirm the PoC on python 3.8.1 with bleach 3.1.3, 3.1.2, 3.1.1, 3.1.0, 3.0.0, 2.1.4, 2.1.3 and didn't check earlier versions. [git blame](https://github.com/mozilla/bleach/blame/v3.1.3/bleach/sanitizer.py#L596) shows we landed the current regex with: https://github.com/mozilla/bleach/pull/434 14 months ago and I [released it with 3.1.3 this week](https://github.com/mozilla/bleach/compare/v3.1.2...v3.1.3). I also see I included an incomplete changelog with the 3.1.3 release. Looking at older versions we used the following for the gauntlet regex: * `^([/:,#%.\s!\w]|\w-\w|'[\s\w]+'\s*|"[\s\w]+"|\([\d,%\.\s]+\))*$` w/ `re.U` [in 3.1.3](https://github.com/mozilla/bleach/blame/v3.1.3/bleach/sanitizer.py#L596) * `^([-/:,#%.'"\sa-zA-Z0-9!]|\w-\w|'[\s\w]+'\s*|"[\s\w]+"|\([\d,%\.\s]+\))*$` [from 2.0](https://github.com/mozilla/bleach/blame/v2.0/bleach/sanitizer.py#L347) [to 3.1.2](https://github.com/mozilla/bleach/blame/v3.1.2/bleach/sanitizer.py#L596), and before that it was split over two lines at least [from 1.4](https://github.com/mozilla/bleach/blame/v1.4/bleach/sanitizer.py#L115-L116) [to 1.5](https://github.com/mozilla/bleach/blame/v1.5/bleach/sanitizer.py#L115-L116) all of which include vulnerable patterns so I'll hazard that all versions are impacted. edit: as noted schwag09 already note: > I agree, I don't really have a sense of what the 1st alternation is getting at in the expression. It feels kind of like a catchall. I took a look through the git history of the gauntlet and it seems the ReDoS has always been there (at least since 2012).