fix http.cookies: replace potentially backtracking regex with linear-time pattern to prevent ReDoS (closes gh-149028)

AmSach · AmSach · commit 11ca014a90f4 · 2026-04-27T08:49:17.000Z
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
@@ -462,7 +462,7 @@ def OutputString(self, attrs=None):
     (                              # Optional group: there may not be a value.
     \s*=\s*                          # Equal Sign
     (?P<val>                         # Start of group 'val'
-    "(?:\\"|.)*?"                    # Any double-quoted string
+    [^"\\]+                # Any unquoted string (avoid
     |                                  # or
     # Special case for "expires" attr
     (\w{3,6}day|\w{3}),\s              # Day of the week or abbreviated day
