[3.10] bpo-46474: Avoid REDoS in EntryPoint.pattern (sync with importlib_metadata 4.10.1) (GH-30803)backport-51c3e28-3.10

(cherry picked from commit 51c3e28c8a163e58dc753765e3cc51d5a717e70d) Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
author: Jason R. Coombs <jaraco@jaraco.com> 2022-01-22 23:00:23 -0500
committer: Jason R. Coombs <jaraco@jaraco.com> 2022-01-23 08:07:29 -0500
commit: 39d0ea1cfbfc039cc5c4cbb04f32c98b3495f2df (patch)
tree: 6dfc6388aa1b32ce15666086292ff095febe03c2
parent: 633db1c4eb863a1340e45c353e36f2f8dcf5945c (diff)
download: cpython-git-backport-51c3e28-3.10.tar.gz
2 files changed, 4 insertions, 2 deletions
diff --git a/Lib/importlib/metadata/__init__.py b/Lib/importlib/metadata/__init__.py
index ec41ed3915..33ce1b6b56 100644
--- a/Lib/importlib/metadata/__init__.py
+++ b/Lib/importlib/metadata/__init__.py
@@ -132,8 +132,8 @@ class EntryPoint(
 
     pattern = re.compile(
         r'(?P<module>[\w.]+)\s*'
-        r'(:\s*(?P<attr>[\w.]+))?\s*'
-        r'(?P<extras>\[.*\])?\s*$'
+        r'(:\s*(?P<attr>[\w.]+)\s*)?'
+        r'((?P<extras>\[.*\])\s*)?$'
     )
     """
     A regular expression describing the syntax for an entry point,
diff --git a/Misc/NEWS.d/next/Library/2022-01-22-14-49-10.bpo-46474.eKQhvx.rst b/Misc/NEWS.d/next/Library/2022-01-22-14-49-10.bpo-46474.eKQhvx.rst
new file mode 100644
index 0000000000..156b7de4f6
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-01-22-14-49-10.bpo-46474.eKQhvx.rst
@@ -0,0 +1,2 @@
+In ``importlib.metadata.EntryPoint.pattern``, avoid potential REDoS by
+limiting ambiguity in consecutive whitespace.
author	Jason R. Coombs <jaraco@jaraco.com>	2022-01-22 23:00:23 -0500
committer	Jason R. Coombs <jaraco@jaraco.com>	2022-01-23 08:07:29 -0500
commit	39d0ea1cfbfc039cc5c4cbb04f32c98b3495f2df (patch)
tree	6dfc6388aa1b32ce15666086292ff095febe03c2
parent	633db1c4eb863a1340e45c353e36f2f8dcf5945c (diff)
download	cpython-git-backport-51c3e28-3.10.tar.gz