From 94d8bd5d32eea10053038b5a871c125fb959ef20 Mon Sep 17 00:00:00 2001
From: Issy Long <me@issyl0.co.uk>
Date: Fri, 15 Apr 2022 16:23:54 +0100
Subject: [PATCH] download_strategy: In regexps, only allow valid hostname
 characters

> This regular expression has an unrestricted wildcard '.+?' which may cause 'googlecode\.com/svn' to be matched anywhere in the URL, outside the hostname.
---
 Library/Homebrew/download_strategy.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Library/Homebrew/download_strategy.rb b/Library/Homebrew/download_strategy.rb
index bef5ab5300..5498bb662f 100644
--- a/Library/Homebrew/download_strategy.rb
+++ b/Library/Homebrew/download_strategy.rb
@@ -1404,18 +1404,18 @@ class DownloadStrategyDetector
     when %r{^https?://www\.apache\.org/dyn/closer\.cgi},
          %r{^https?://www\.apache\.org/dyn/closer\.lua}
       CurlApacheMirrorDownloadStrategy
-    when %r{^https?://(.+?\.)?googlecode\.com/svn},
+    when %r{^https?://([A-Za-z0-9\-.]+\.)?googlecode\.com/svn},
          %r{^https?://svn\.},
          %r{^svn://},
          %r{^svn\+http://},
          %r{^http://svn\.apache\.org/repos/},
-         %r{^https?://(.+?\.)?sourceforge\.net/svnroot/}
+         %r{^https?://([A-Za-z0-9\-.]+\.)?sourceforge\.net/svnroot/}
       SubversionDownloadStrategy
     when %r{^cvs://}
       CVSDownloadStrategy
     when %r{^hg://},
-         %r{^https?://(.+?\.)?googlecode\.com/hg},
-         %r{^https?://(.+?\.)?sourceforge\.net/hgweb/}
+         %r{^https?://([A-Za-z0-9\-.]+\.)?googlecode\.com/hg},
+         %r{^https?://([A-Za-z0-9\-.]+\.)?sourceforge\.net/hgweb/}
       MercurialDownloadStrategy
     when %r{^bzr://}
       BazaarDownloadStrategy