Fix a DOS vulnerability in posixpath regarding string slicing

Wulian233 · Wulian233 · commit 1eec55fb80a6 · 2025-05-30T19:16:34.000+08:00
diff --git a/Lib/posixpath.py b/Lib/posixpath.py
@@ -302,6 +302,7 @@ def expandvars(path):
         start = b'{'
         end = b'}'
         environ = getattr(os, 'environb', None)
+        join = b''.join
     else:
         if '$' not in path:
             return path
@@ -312,12 +313,16 @@ def expandvars(path):
         start = '{'
         end = '}'
         environ = os.environ
-    i = 0
+        join = ''.join
+
+    result = []
+    last = 0
     while True:
-        m = search(path, i)
+        m = search(path, last)
         if not m:
             break
         i, j = m.span(0)
+        result.append(path[last:i])
         name = m.group(1)
         if name.startswith(start) and name.endswith(end):
             name = name[1:-1]
@@ -327,13 +332,12 @@ def expandvars(path):
             else:
                 value = environ[name]
         except KeyError:
-            i = j
+            result.append(path[i:j])
         else:
-            tail = path[j:]
-            path = path[:i] + value
-            i = len(path)
-            path += tail
-    return path
+            result.append(value)
+        last = j
+    result.append(path[last:])
+    return join(result)
 
 
 # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B.
diff --git a/Misc/NEWS.d/next/Library/2025-05-30-19-15-35.gh-issue-134873.bSyFkT.rst b/Misc/NEWS.d/next/Library/2025-05-30-19-15-35.gh-issue-134873.bSyFkT.rst
@@ -0,0 +1 @@
+Fix a DOS vulnerability in :mod:`posixpath` regarding string slicing.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Fix a DOS vulnerability in :mod:`posixpath` regarding string slicing.