document pattern denial of service

2017-06-17 11:59:56 +02:00 · 2017-06-17 11:59:56 +02:00 · 1f5ddb6572
parent 2b13607f46
commit 1f5ddb6572
1 changed files with 9 additions and 0 deletions
--- a/src/borg/archiver.py
+++ b/src/borg/archiver.py
@ -1921,6 +1921,15 @@ class Archiver:
            Other include/exclude patterns that would normally match will be ignored.
            Same logic applies for exclude.

+        .. note::
+
+            `re:`, `sh:` and `fm:` patterns are all implemented on top of the Python SRE
+            engine. It is very easy to formulate patterns for each of these types which
+            requires an inordinate amount of time to match paths. If untrusted users
+            are able to supply patterns, ensure they cannot supply `re:` patterns.
+            Further, ensure that `sh:` and `fm:` patterns only contain a handful of
+            wildcards at most.
+
        Exclusions can be passed via the command line option `--exclude`. When used
        from within a shell the patterns should be quoted to protect them from
        expansion.