From 1f5ddb6572a68d85cae730ff0c04fae85f7e7d0d Mon Sep 17 00:00:00 2001 From: Marian Beermann Date: Sat, 17 Jun 2017 11:59:56 +0200 Subject: [PATCH] document pattern denial of service --- src/borg/archiver.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/borg/archiver.py b/src/borg/archiver.py index e1406560b..2ae5074bc 100644 --- a/src/borg/archiver.py +++ b/src/borg/archiver.py @@ -1921,6 +1921,15 @@ def do_break_lock(self, args, repository): Other include/exclude patterns that would normally match will be ignored. Same logic applies for exclude. + .. note:: + + `re:`, `sh:` and `fm:` patterns are all implemented on top of the Python SRE + engine. It is very easy to formulate patterns for each of these types which + requires an inordinate amount of time to match paths. If untrusted users + are able to supply patterns, ensure they cannot supply `re:` patterns. + Further, ensure that `sh:` and `fm:` patterns only contain a handful of + wildcards at most. + Exclusions can be passed via the command line option `--exclude`. When used from within a shell the patterns should be quoted to protect them from expansion.