diff --git a/CHANGELOG.md b/CHANGELOG.md index db087a6e68..6bf4d8f5df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,7 @@ account (Griatch) - [Fix][issue4311]: SSH connection caused a traceback in protocol (Griatch) - Fix: Resolve a bug when loading on-demand-handler data from database (Griatch) +- Security: Potentially O(n2) regex exploit in rpsystem regex (Griatch) - Doc fixes (iLPdev, Griatch, CloudKeeper) [pull3420]: https://github.com/evennia/evennia/pull/3420 diff --git a/docs/source/Coding/Changelog.md b/docs/source/Coding/Changelog.md index 7dbf7f00d8..6bf4d8f5df 100644 --- a/docs/source/Coding/Changelog.md +++ b/docs/source/Coding/Changelog.md @@ -2,6 +2,11 @@ ## Evennia Main branch +- Feature: Support Python 3.12 (Griatch). Currently supporting 3.10,3.11 and + 3.12. Note that 3.10 support will be removed in a future release. +- Feature: Update `evennia[extra]` scipy dependency to 1.12 to support latest + Python. Note that this may change which (equivalent) path is being picked when + following an xyzgrid contrib pathfinding. - Feature: *Backwards incompatible*: `DefaultObject.get_numbered_name` now gets object's name via `.get_display_name` for better compatibility with recog systems. - Feature: *Backwards incompatible*: Removed the (#dbref) display from @@ -32,6 +37,7 @@ account (Griatch) - [Fix][issue4311]: SSH connection caused a traceback in protocol (Griatch) - Fix: Resolve a bug when loading on-demand-handler data from database (Griatch) +- Security: Potentially O(n2) regex exploit in rpsystem regex (Griatch) - Doc fixes (iLPdev, Griatch, CloudKeeper) [pull3420]: https://github.com/evennia/evennia/pull/3420 diff --git a/docs/source/Setup/Settings-Default.md b/docs/source/Setup/Settings-Default.md index a52729f166..73f3a6d45b 100644 --- a/docs/source/Setup/Settings-Default.md +++ b/docs/source/Setup/Settings-Default.md @@ -257,7 +257,7 @@ MXP_OUTGOING_ONLY = True # time depends very much on your game so some experimentation may # be necessary (use @server to see how many objects are in the idmapper # cache at any time). Setting this to None disables the cache cap. -IDMAPPER_CACHE_MAXSIZE = 200 # (MB) +IDMAPPER_CACHE_MAXSIZE = 400 # (MB) # This determines how many connections per second the Portal should # accept, as a DoS countermeasure. If the rate exceeds this number, incoming # connections will be queued to this rate, so none will be lost. diff --git a/evennia/contrib/rpg/rpsystem/rpsystem.py b/evennia/contrib/rpg/rpsystem/rpsystem.py index fccef752ef..d18a1a5f93 100644 --- a/evennia/contrib/rpg/rpsystem/rpsystem.py +++ b/evennia/contrib/rpg/rpsystem/rpsystem.py @@ -159,7 +159,8 @@ from evennia.commands.command import Command from evennia.objects.models import ObjectDB from evennia.objects.objects import DefaultCharacter, DefaultObject from evennia.utils import ansi, logger -from evennia.utils.utils import iter_to_str, lazy_property, make_iter, variable_from_module +from evennia.utils.utils import (iter_to_str, lazy_property, make_iter, + variable_from_module) _INFLECT = inflect.engine() @@ -217,7 +218,7 @@ _RE_CHAREND = re.compile(r"\W+$", _RE_FLAGS) _RE_REF_LANG = re.compile(r"\{+\##([0-9]+)\}+") # language says in the emote are on the form "..." or langname"..." (no spaces). # this regex returns in groups (langname, say), where langname can be empty. -_RE_LANGUAGE = re.compile(r"(?:(\w+))*(\".+?\")") +_RE_LANGUAGE = re.compile(r'(\w+)?(".*?")') # the emote parser works in two steps: diff --git a/evennia/settings_default.py b/evennia/settings_default.py index ad40898fc6..2d53d524cc 100644 --- a/evennia/settings_default.py +++ b/evennia/settings_default.py @@ -238,7 +238,7 @@ MXP_OUTGOING_ONLY = True # time depends very much on your game so some experimentation may # be necessary (use @server to see how many objects are in the idmapper # cache at any time). Setting this to None disables the cache cap. -IDMAPPER_CACHE_MAXSIZE = 200 # (MB) +IDMAPPER_CACHE_MAXSIZE = 400 # (MB) # This determines how many connections per second the Portal should # accept, as a DoS countermeasure. If the rate exceeds this number, incoming # connections will be queued to this rate, so none will be lost.