Imported Upstream version 4.3.2.467

Former-commit-id: 9c2cb47f45fa221e661ab616387c9cda183f283d
2016-02-22 11:00:01 -05:00
parent f302175246
commit f3e3aab35a
4097 changed files with 122406 additions and 82300 deletions
--- a/external/referencesource/System.Web/Security/MembershipPasswordAttribute.cs
+++ b/external/referencesource/System.Web/Security/MembershipPasswordAttribute.cs
@@ -5,6 +5,7 @@
    using System.Globalization;
    using System.Linq;
    using System.Text.RegularExpressions;
+    using  System.Web.Util;

    /// <summary>
    /// Validates whether a password field meets the current Membership Provider's password requirements.
@@ -143,6 +144,9 @@
                }
            }
        }
+
+        // The timeout for the regex we use to check password strength
+        public int? PasswordStrengthRegexTimeout { get; set; }
        #endregion

        #region Overriden Methods
@@ -189,7 +193,8 @@

                Regex passwordStrengthRegex;
                try {
-                    passwordStrengthRegex = new Regex(passwordStrengthRegularExpression);
+                    // Adding timeout for Regex in case of malicious string causing DoS
+                    passwordStrengthRegex = RegexUtil.CreateRegex(passwordStrengthRegularExpression, RegexOptions.None, PasswordStrengthRegexTimeout);
                }
                catch (ArgumentException ex) {
                    throw new InvalidOperationException(SR.GetString(SR.MembershipPasswordAttribute_InvalidRegularExpression), ex);