Regular expression Denial of Service

Problem/Motivation

This module has a Regular expression Denial of Service issue.

This was first reported as a security issue, and it was decided to make it public, since it requires admin permissions.

Steps to reproduce

You can see this issue by:

1. Enabling the module
2. As a user with 'administer site configuration+administer software updates' permission (or whatever permission is required if using Drupal 7 instead) navigate to /admin/config/development/maintenance
3. An arbitrary regex can be entered in both the "Forms that can be submitted" and "Forms that can be viewed" fields, with the modification that all occurrences of "*" will be replaced with ".*" and that "^" and "$" will be added before and after, respectively.

The problematic code is in _readonlymode_form_list_check(), in both D7 and D8+.

function _readonlymode_form_list_check($form_id, array $list) {
  $l = preg_split('/(\r\n|\n|\r)/', $list);
  foreach ($l as $word) {
    // Skip empty words.
    if (empty($word)) {
      continue;
    }
    $word = str_replace('*', '.*', $word);
    if (preg_match('/^' . $word . '$/', $form_id) === 1) {
      return TRUE;
    }
  }
  return FALSE;
}

Proposed resolution

The code should be changed to work more like \Drupal\Core\Path\PathMatcher::matchPath, which escapes regex characters, then performs replacement for asterisks and joins the result into a regex. The function could also similarly make use of replacing newlines with a logical 'or', to avoid having a for loop.

Remaining tasks

User interface changes

API changes

Data model changes