From 8b3d69a0d7bba324ec9022320c547af983546310 Mon Sep 17 00:00:00 2001
From: Daniel Reis <dgreis@sapo.pt>
Date: Thu, 30 Jul 2015 10:04:04 +0100
Subject: [PATCH] [FIX] orm: performance of regex to check search `order` spec

This regex is used for a quick sanity check of
the order_spec in `search(order=<order_spec>)`.
Because it was build on the repetition of a
group ending with a series of optional patterns,
it could cause expensive backtracking when the
order spec did not actually match the regex
(the regex engine was trying all possible ways
to split the groups)

Forcing the repeating group to either end
with a comma or the end of the string prevents
prohibitive backtracking, while being even
more restrictive with regard to the syntax of
the order spec.

Closes #7755
---
 openerp/osv/orm.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/openerp/osv/orm.py b/openerp/osv/orm.py
index 9cd5d1dcb8f..06768fa578f 100644
--- a/openerp/osv/orm.py
+++ b/openerp/osv/orm.py
@@ -77,7 +77,7 @@ _schema = logging.getLogger(__name__ + '.schema')
 # List of etree._Element subclasses that we choose to ignore when parsing XML.
 from openerp.tools import SKIPPED_ELEMENT_TYPES
 
-regex_order = re.compile('^( *([a-z0-9_]+|"[a-z0-9_]+")( *desc| *asc)?( *, *|))+$', re.I)
+regex_order = re.compile('^(\s*([a-z0-9:_]+|"[a-z0-9:_]+")(\s+(desc|asc))?\s*(,|$))+(?<!,)$', re.I)
 regex_object_name = re.compile(r'^[a-z0-9_.]+$')
 
 # TODO for trunk, raise the value to 1000