Escape user-provided text passed to regex

Rather than using the user/document-provided values directly, we instead escape them to use them verbatim. This fixes issue #568.
the-paperless-project · Nov 2, 2019 · 422a785 · 422a785
1 parent a690b1c
commit 422a785
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/src/documents/models.py b/src/documents/models.py
@@ -98,20 +98,21 @@ def matches(self, text):
         if self.matching_algorithm == self.MATCH_ALL:
             for word in self._split_match():
                 search_result = re.search(
-                    r"\b{}\b".format(word), text, **search_kwargs)
+                    r"\b{}\b".format(re.escape(word)), text, **search_kwargs)
                 if not search_result:
                     return False
             return True
 
         if self.matching_algorithm == self.MATCH_ANY:
             for word in self._split_match():
-                if re.search(r"\b{}\b".format(word), text, **search_kwargs):
+                if re.search(r"\b{}\b".format(re.escape(word)), text,
+                             **search_kwargs):
                     return True
             return False
 
         if self.matching_algorithm == self.MATCH_LITERAL:
-            return bool(re.search(
-                r"\b{}\b".format(self.match), text, **search_kwargs))
+            return bool(re.search(r"\b{}\b".format(re.escape(self.match)),
+                                  text, **search_kwargs))
 
         if self.matching_algorithm == self.MATCH_REGEX:
             return bool(re.search(