gh-146333: Fix quadratic regex backtracking in configparser option parsing

[joshuaswanson]

The _OPT_TMPL and _OPT_NV_TMPL regexes have quadratic backtracking when a line contains many spaces between non-delimiter characters. The lazy .*? in the option group and the \s* before the delimiter overlap on whitespace, so the engine tries every possible split point.

The fix removes \s* before the delimiter. This is safe because the option name is already stripped via .rstrip() in _handle_option (line 1160), and the value is stripped via .strip() (line 1169).

Before: x + 40000 spaces + y takes ~86 seconds
After: ~0.004 seconds

• Issue: configparser.RawConfigParser.{OPTCRE,OPTCRE_NV} regexes vulnerable to quadratic backtracking #146333

[python-cla-bot]

All commit authors signed the Contributor License Agreement.

[StanFromIreland]

This is safe because the option name is already stripped via .rstrip() in _handle_option (line 1160), and the value is stripped via .strip() (line 1169).

The regexes are publicly exposed, this breaks it for people who use them directly.

[joshuaswanson]

Good point, thanks. Updated to keep the regexes unchanged. Instead, _handle_option now checks for delimiter presence before matching. If no delimiter is found, it skips the regex entirely and either treats the line as a valueless option (when allow_no_value=True) or reports a parsing error. All 341 existing tests pass.

[encukou]

Overriding OPTCRE is mentioned (though discouraged) in the docs. IMO, that needs to remain usable for specifying different delimiters. We shouldn't skip it.

Would it work to add negative lookahead, (?!{delim}), to <option>?

---

@joshuaswanson, please don't force-push to CPython PR branches -- it makes the changes a little harder to follow for reviewers, and every PR gets squashed anyway.

[joshuaswanson]

Won't force-push again, sorry about that.

The simple (?!{delim}) on .*? didn't eliminate the backtracking on its own because whitespace characters aren't delimiters, so .*? and \s* still overlapped on spaces. Took a bit more work to get it right.

The fix restructures the option group to (?:(?!{delim})\S)*(?:\s+(?:(?!{delim})\S)+)* which matches words separated by whitespace, where each word is non-delimiter non-space characters. Option can never have trailing whitespace, so there's no overlap with \s*. Captured groups are identical and all 341 existing tests pass.