From 034d126c20841b6e00d894588c18905d5916f85d Mon Sep 17 00:00:00 2001
From: Crozzers <captaincrozzers@gmail.com>
Date: Sat, 12 Jul 2025 17:06:04 +0100
Subject: [PATCH 1/4] Fix reDOS in HTML tokenizer regex

---
 lib/markdown2.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/markdown2.py b/lib/markdown2.py
index 265bb7d1..067fd0ab 100755
--- a/lib/markdown2.py
+++ b/lib/markdown2.py
@@ -1273,7 +1273,7 @@ def _run_span_gamut(self, text: str) -> str:
                     \s+                           # whitespace after tag
                     (?:[^\t<>"'=/]+:)?
                     [^<>"'=/]+=                   # attr name
-                    (?:".*?"|'.*?'|[^<>"'=/\s]+)  # value, quoted or unquoted. If unquoted, no spaces allowed
+                    (?:"[^"]*?"|'[^']*?'|[^<>"'=/\s]+)  # value, quoted or unquoted. If unquoted, no spaces allowed
                 )*
                 \s*/?>
                 |

From 74fc8cda3999cfb185e2bc05d2c4e2a4ae03efdc Mon Sep 17 00:00:00 2001
From: Crozzers <captaincrozzers@gmail.com>
Date: Sat, 12 Jul 2025 17:17:54 +0100
Subject: [PATCH 2/4] Add test suite for ReDoS attacks

---
 .github/workflows/python.yaml |  3 ++
 Makefile                      |  4 ++
 test/test_redos.py            | 90 +++++++++++++++++++++++++++++++++++
 3 files changed, 97 insertions(+)
 create mode 100644 test/test_redos.py

diff --git a/.github/workflows/python.yaml b/.github/workflows/python.yaml
index a54cbae8..e642ccdd 100644
--- a/.github/workflows/python.yaml
+++ b/.github/workflows/python.yaml
@@ -27,3 +27,6 @@ jobs:
       - name: Test
         run: |
           make testone
+      - name: Test ReDoS
+        run: |
+          make testredos
diff --git a/Makefile b/Makefile
index b6f88c9b..d2a9a72f 100644
--- a/Makefile
+++ b/Makefile
@@ -12,6 +12,10 @@ test:
 testone:
 	cd test && python test.py -- -knownfailure
 
+.PHONY: testredos
+testredos:
+	python test/test_redos.py
+
 .PHONY: pygments
 pygments:
 	[[ -d deps/pygments ]] || ( \
diff --git a/test/test_redos.py b/test/test_redos.py
new file mode 100644
index 00000000..b3f0623f
--- /dev/null
+++ b/test/test_redos.py
@@ -0,0 +1,90 @@
+import logging
+import subprocess
+import sys
+import time
+from pathlib import Path
+
+log = logging.getLogger("test")
+LIB_DIR = Path(__file__).parent.parent / "lib"
+
+
+def pull_387_example_1():
+    # https://github.com/trentm/python-markdown2/pull/387
+    return "[#a" + " " * 3456
+
+
+def pull_387_example_2():
+    # https://github.com/trentm/python-markdown2/pull/387
+    return "```" + "\n" * 3456
+
+
+def pull_387_example_3():
+    # https://github.com/trentm/python-markdown2/pull/387
+    return "-*-" + " " * 3456
+
+
+def pull_402():
+    # https://github.com/trentm/python-markdown2/pull/402
+    return " " * 100_000 + "$"
+
+
+def issue493():
+    # https://github.com/trentm/python-markdown2/issues/493
+    return "**_" + "*_" * 38730 * 10 + "\x00"
+
+
+def issue_633():
+    # https://github.com/trentm/python-markdown2/issues/633
+    return '<p m="1"' * 5000 + " " * 10_000 + "</div"
+
+
+# whack everything in a dict for easy lookup later on
+CASES = {
+    fn.__name__: fn
+    for fn in [
+        pull_387_example_1,
+        pull_387_example_2,
+        pull_387_example_3,
+        pull_402,
+        issue493,
+        issue_633,
+    ]
+}
+
+
+if __name__ == "__main__":
+    logging.basicConfig()
+
+    if "--execute" in sys.argv:
+        testcase = CASES[sys.argv[sys.argv.index("--execute") + 1]]
+        sys.path.insert(0, str(LIB_DIR))
+        from markdown2 import markdown
+
+        markdown(testcase())
+        sys.exit(0)
+
+    print("-- ReDoS tests")
+
+    fails = []
+    start_time = time.time()
+    for testcase in CASES:
+        print(f"markdown2/redos/{testcase} ... ", end="")
+
+        testcase_start_time = time.time()
+        try:
+            subprocess.run([sys.executable, __file__, "--execute", testcase], timeout=3)
+        except subprocess.TimeoutExpired:
+            fails.append(testcase)
+            print(f"FAIL ({time.time() - testcase_start_time:.3f}s)")
+        else:
+            print(f"ok ({time.time() - testcase_start_time:.3f}s)")
+
+    print("----------------------------------------------------------------------")
+    print(f"Ran {len(CASES)} tests in {time.time() - start_time:.3f}s")
+
+    if fails:
+        print("FAIL:", fails)
+    else:
+        print("OK")
+
+    sys.exit(len(fails))

From 68885ac2c3d33e2064012a9c664d15442fb2b419 Mon Sep 17 00:00:00 2001
From: Crozzers <captaincrozzers@gmail.com>
Date: Sat, 12 Jul 2025 17:46:07 +0100
Subject: [PATCH 3/4] Adjust size of output in redos test case

---
 test/test_redos.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/test_redos.py b/test/test_redos.py
index b3f0623f..180ce931 100644
--- a/test/test_redos.py
+++ b/test/test_redos.py
@@ -35,7 +35,7 @@ def issue493():
 
 def issue_633():
     # https://github.com/trentm/python-markdown2/issues/633
-    return '<p m="1"' * 5000 + " " * 10_000 + "</div"
+    return '<p m="1"' * 2500 + " " * 5000 + "</div"
 
 
 # whack everything in a dict for easy lookup later on

From 101f1eb1d2f27bf4c49079f07b285c6f866a7b92 Mon Sep 17 00:00:00 2001
From: Crozzers <captaincrozzers@gmail.com>
Date: Sat, 12 Jul 2025 17:46:45 +0100
Subject: [PATCH 4/4] Update changelog

---
 CHANGES.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGES.md b/CHANGES.md
index 26cde7b0..192d879d 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -8,6 +8,7 @@
 - [pull #626] Fix XSS when encoding incomplete tags (#625)
 - [pull #628] Fix TypeError in MiddleWordEm extra when options was None (#627)
 - [pull #630] Fix nbsp breaking tables (#629)
+- [pull #634] Fix ReDoS in HTML tokenizer regex (#633)
 
 
 ## python-markdown2 2.5.3