SimplePie Fix regex backtrack limit in clean_hash() (#7813)

https://github.com/FreshRSS/simplepie/pull/48 and merge upstream https://github.com/FreshRSS/simplepie/pull/49 fix https://github.com/FreshRSS/FreshRSS/issues/7807 We had a risk of hitting `Backtrack limit was exhausted` in case of open XML comment `<!--` not closed and followed by a very long document. Fixed by: * Limiting the max length of the comment * Stopping at an apparent end of CDATA section `]]>` as it is likely an error It does not matter much if there are rare cases when the regex does not work perfectly, as it is only used for a cache hint.
2026-05-14 18:23:52 -04:00 · 2025-08-11 00:52:09 +02:00
parent 2b85a50ed7
commit eaf69f591f
3 changed files with 2 additions and 2 deletions
--- a/lib/composer.json
+++ b/lib/composer.json
@@ -14,7 +14,7 @@
        "marienfressinaud/lib_opml": "0.5.1",
        "phpgt/cssxpath": "v1.3.0",
        "phpmailer/phpmailer": "6.10.0",
-        "simplepie/simplepie": "dev-freshrss#3cdee69fde431e6b461b87413177a791c2018098"
+        "simplepie/simplepie": "dev-freshrss#dcaa720d3d8bc8202333f569c4cddb4a407dc213"
    },
    "config": {
        "sort-packages": true,
--- a/lib/simplepie/simplepie/phpstan.dist.neon
+++ b/lib/simplepie/simplepie/phpstan.dist.neon
--- a/lib/simplepie/simplepie/src/SimplePie.php
+++ b/lib/simplepie/simplepie/src/SimplePie.php
@@ -1695,7 +1695,7 @@ class SimplePie
                        [
                            '#<(lastBuildDate|pubDate|updated|feedDate|dc:date|slash:comments)>[^<]+</\\1>#',
                            '#<(media:starRating|media:statistics) [^/<>]+/>#',
-                            '#<!--.+?-->#s',
+                            '#<!--.{,8192}?(-->|(?=]]>))#s', // XML comments up to a max length and stops at apparent end of CDATA section
                        ],
                        '',
                        $stream_data