diff --git a/linux_os/guide/services/http/securing_httpd/httpd_public_resources_not_shared/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_public_resources_not_shared/rule.yml
index 1a6a3591ed7..304e3a10d90 100644
--- a/linux_os/guide/services/http/securing_httpd/httpd_public_resources_not_shared/rule.yml
+++ b/linux_os/guide/services/http/securing_httpd/httpd_public_resources_not_shared/rule.yml
@@ -13,8 +13,8 @@ rationale: |-
public web server and private servers the intent of data and resource
segregation can be compromised.
- In addition to the requirements of the DoD Internet-NIPRNet DMZ STIG that
- isolates inbound traffic from external network to the internal network,
+ In addition to the requirements of applicable DMZ segmentation policies that
+ isolate inbound traffic from the external network to the internal network,
resources such as printers, files, and folders/directories will not be
shared between public web servers and assets located within the internal
network.
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml
index bc2cf5ccdc8..3d661dde7d3 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml
@@ -8,33 +8,6 @@ description: |-
default text with a message compliant with the local site policy or a legal
disclaimer.
- The DoD required text is either:
-
- You are accessing a U.S. Government (USG) Information System (IS) that
- is provided for USG-authorized use only. By using this IS (which includes
- any device attached to this IS), you consent to the following conditions:
-
-The USG routinely intercepts and monitors communications on this IS
- for purposes including, but not limited to, penetration testing, COMSEC
- monitoring, network operations and defense, personnel misconduct (PM), law
- enforcement (LE), and counterintelligence (CI) investigations.
-
-At any time, the USG may inspect and seize data stored on this IS.
-
-Communications using, or data stored on, this IS are not private,
- are subject to routine monitoring, interception, and search, and may be
- disclosed or used for any USG-authorized purpose.
-
-This IS includes security measures (e.g., authentication and access
- controls) to protect USG interests -- not for your personal benefit or
- privacy.
-
-Notwithstanding the above, using this IS does not constitute consent
- to PM, LE or CI investigative searching or monitoring of the content of
- privileged communications, or work product, related to personal
- representation or services by attorneys, psychotherapists, or clergy, and
- their assistants. Such communications and work product are private and
- confidential. See User Agreement for details.
-
- OR:
-
- I've read & consent to terms in IS user agreem't.
-
rationale: |-
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml
index 32df952364e..92326b1028f 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml
@@ -8,33 +8,6 @@ description: |-
default text with a message compliant with the local site policy or a legal
disclaimer.
- The DoD required text is either:
-
- You are accessing a U.S. Government (USG) Information System (IS) that
- is provided for USG-authorized use only. By using this IS (which includes
- any device attached to this IS), you consent to the following conditions:
-
-The USG routinely intercepts and monitors communications on this IS
- for purposes including, but not limited to, penetration testing, COMSEC
- monitoring, network operations and defense, personnel misconduct (PM), law
- enforcement (LE), and counterintelligence (CI) investigations.
-
-At any time, the USG may inspect and seize data stored on this IS.
-
-Communications using, or data stored on, this IS are not private,
- are subject to routine monitoring, interception, and search, and may be
- disclosed or used for any USG-authorized purpose.
-
-This IS includes security measures (e.g., authentication and access
- controls) to protect USG interests -- not for your personal benefit or
- privacy.
-
-Notwithstanding the above, using this IS does not constitute consent
- to PM, LE or CI investigative searching or monitoring of the content of
- privileged communications, or work product, related to personal
- representation or services by attorneys, psychotherapists, or clergy, and
- their assistants. Such communications and work product are private and
- confidential. See User Agreement for details.
-
- OR:
-
- I've read & consent to terms in IS user agreem't.
-
rationale: |-
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml
index 35fe221fcf9..3a30fff7f99 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml
@@ -4,48 +4,19 @@ documentation_complete: true
title: 'Enable the SSH login confirmation banner'
description: |-
- This rule verifies that that the SSH login confirmation banner is set
+ This rule verifies that the SSH login confirmation banner is set
correctly.
- The DoD required text is:
-
- if [ -n "$SSH_CLIENT" ] || [ -n "$SSH_TTY" ]; then
- while true; do
- read -p "
- You are accessing a U.S. Government (USG) Information System (IS) that is provided for
- USG-authorized use only.
- By using this IS (which includes any device attached to this IS), you consent to the
- following conditions:
- -The USG routinely intercepts and monitors communications on this IS for purposes
- including, but not limited to, penetration testing, COMSEC monitoring, network
- operations and defense, personnel misconduct (PM), law enforcement (LE), and
- counterintelligence (CI) investigations.
- -At any time, the USG may inspect and seize data stored on this IS.
- -Communications using, or data stored on, this IS are not private, are subject to routine
- monitoring, interception, and search, and may be disclosed or used for any USG-
- authorized purpose.
- -This IS includes security measures (e.g., authentication and access controls) to protect
- USG interests--not for your personal benefit or privacy.
- -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI
- investigative searching or monitoring of the content of privileged communications, or
- work product, related to personal representation or services by attorneys,
- psychotherapists, or clergy, and their assistants. Such communications and work product
- are private and confidential. See User Agreement for details.
- Do you agree? [y/N] " yn
- case $yn in
- [Yy]* ) break ;;
- [Nn]* ) exit 1 ;;
- esac
- done
- fi
-
+ The confirmation text is configurable through the var_ssh_confirm_text
+ variable, which supports the DoD-required consent text or a generic
+ alternative.
rationale: |-
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
-
+
severity: medium
ocil_clause: 'it does not display the required banner'
diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml
index 9cce04ec9ae..35e3d0b04ef 100644
--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml
@@ -8,33 +8,6 @@ description: |-
Replace the default text with a message compliant with the local site
policy or a legal disclaimer.
- The DoD required text is either:
-
- You are accessing a U.S. Government (USG) Information System (IS) that
- is provided for USG-authorized use only. By using this IS (which includes
- any device attached to this IS), you consent to the following conditions:
-
-The USG routinely intercepts and monitors communications on this IS
- for purposes including, but not limited to, penetration testing, COMSEC
- monitoring, network operations and defense, personnel misconduct (PM), law
- enforcement (LE), and counterintelligence (CI) investigations.
-
-At any time, the USG may inspect and seize data stored on this IS.
-
-Communications using, or data stored on, this IS are not private,
- are subject to routine monitoring, interception, and search, and may be
- disclosed or used for any USG-authorized purpose.
-
-This IS includes security measures (e.g., authentication and access
- controls) to protect USG interests -- not for your personal benefit or
- privacy.
-
-Notwithstanding the above, using this IS does not constitute consent
- to PM, LE or CI investigative searching or monitoring of the content of
- privileged communications, or work product, related to personal
- representation or services by attorneys, psychotherapists, or clergy, and
- their assistants. Such communications and work product are private and
- confidential. See User Agreement for details.
-
- OR:
-
- I've read & consent to terms in IS user agreem't.
-
rationale: |-
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
diff --git a/linux_os/guide/system/accounts/accounts-banners/var_ssh_confirm_text.var b/linux_os/guide/system/accounts/accounts-banners/var_ssh_confirm_text.var
index 55a7959f725..3fc258fa82c 100644
--- a/linux_os/guide/system/accounts/accounts-banners/var_ssh_confirm_text.var
+++ b/linux_os/guide/system/accounts/accounts-banners/var_ssh_confirm_text.var
@@ -16,4 +16,5 @@ interactive: false
options:
# How to generate banner, check https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions
dod_default: ^\#!\/bin\/bash(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)if[\s\n]+\[[\s\n]+\-n[\s\n]+"\$SSH_CLIENT"[\s\n]+\][\s\n]+\|\|[\s\n]+\[[\s\n]+\-n[\s\n]+"\$SSH_TTY"[\s\n]+\];[\s\n]+then(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+while[\s\n]+true;[\s\n]+do(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+read[\s\n]+\-p[\s\n]+"[\s\n]+(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Do[\s\n]+you[\s\n]+agree\?[\s\n]+\[y\/N\][\s\n]+"[\s\n]+yn(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+case[\s\n]+\$yn[\s\n]+in(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+\[Yy\]\*[\s\n]+\)[\s\n]+break[\s\n]+;;(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+\[Nn\]\*[\s\n]+\)[\s\n]+exit[\s\n]+1[\s\n]+;;(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+esac(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+done(?:[\n]+|(?:\\n)+)fi(?:[\n]+|(?:\\n)+)$
+ generic_default: ^\#!/bin/bash(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)if[\s\n]+\[[\s\n]+\-n[\s\n]+"\$SSH_CLIENT"[\s\n]+\][\s\n]+\|\|[\s\n]+\[[\s\n]+\-n[\s\n]+"\$SSH_TTY"[\s\n]+\];[\s\n]+then(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+while[\s\n]+true;[\s\n]+do(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+read[\s\n]+\-p[\s\n]+"[\s\n]+(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)This[\s\n]+system[\s\n]+is[\s\n]+accessible[\s\n]+only[\s\n]+to[\s\n]+authorized[\s\n]+users\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)By[\s\n]+accessing[\s\n]+this[\s\n]+system,[\s\n]+you[\s\n]+agree[\s\n]+to[\s\n]+comply[\s\n]+with[\s\n]+the[\s\n]+applicable[\s\n]+acceptable[\s\n]+use[\s\n]+policy[\s\n]+and[\s\n]+security[\s\n]+requirements\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Unauthorized[\s\n]+access,[\s\n]+use,[\s\n]+or[\s\n]+modification[\s\n]+of[\s\n]+this[\s\n]+system[\s\n]+is[\s\n]+prohibited[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+subject[\s\n]+to[\s\n]+disciplinary[\s\n]+action[\s\n]+or[\s\n]+legal[\s\n]+penalties\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)All[\s\n]+activity[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+may[\s\n]+be[\s\n]+monitored,[\s\n]+recorded,[\s\n]+and[\s\n]+audited[\s\n]+in[\s\n]+accordance[\s\n]+with[\s\n]+applicable[\s\n]+policies\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Do[\s\n]+you[\s\n]+agree\?[\s\n]+\[y/N\][\s\n]+"[\s\n]+yn(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+case[\s\n]+\$yn[\s\n]+in(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+\[Yy\]\*[\s\n]+\)[\s\n]+break[\s\n]+;;(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+\[Nn\]\*[\s\n]+\)[\s\n]+exit[\s\n]+1[\s\n]+;;(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+esac(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+done(?:[\n]+|(?:\\n)+)fi$
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml
index 849d62a869e..b08dcdac4b4 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml
@@ -1,7 +1,7 @@
documentation_complete: true
-title: 'Configure GnuTLS library to use DoD-approved TLS Encryption'
+title: 'Configure GnuTLS library to use Approved TLS Encryption'
description: |-
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -33,17 +33,17 @@ references:
ocil_clause: 'cryptographic policy for gnutls is not configured or is configured incorrectly'
ocil: |-
- To verify if GnuTLS uses defined DoD-approved TLS Crypto Policy, run:
+ To verify if GnuTLS uses the defined approved TLS Crypto Policy, run:
$ sudo grep
'+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0'
/etc/crypto-policies/back-ends/gnutls.config and verify that a match exists.
fixtext: |-
- Configure the {{{ full_name }}} GnuTLS library to use only DoD-approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config":
+ Configure the {{{ full_name }}} GnuTLS library to use only approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config":
+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0
A reboot is required for the changes to take effect.
srg_requirement:
- {{{ full_name }}} must implement DoD-approved TLS encryption in the GnuTLS package.
+ {{{ full_name }}} must implement approved TLS encryption in the GnuTLS package.
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml
index 38d109e4f6d..481041d3762 100644
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml
@@ -23,8 +23,8 @@ rationale: |-
a vendor. This ensures the software has not been tampered with and that it
has been provided by a trusted vendor. Self-signed certificates are
disallowed by this requirement. The operating system should not have
- to verify the software again. NOTE: For U.S. Military systems, this
- requirement does not mandate DoD certificates for this purpose; however,
+ to verify the software again. NOTE: For regulated systems, this requirement
+ does not mandate organization-specific certificates for this purpose; however,
the certificate used to verify the software must be from an approved
Certificate Authority.
diff --git a/ssg/utils.py b/ssg/utils.py
index 482e51d4c0c..295afc863c4 100644
--- a/ssg/utils.py
+++ b/ssg/utils.py
@@ -598,8 +598,8 @@ def escape_regex(text):
This function mimics the behavior of re.escape() in Python 3.7, which escapes a reasonable set
of characters.
- Specifically, it escapes the following characters: #, $, &, *, +, ., ^, `, |, ~, :, (, ), and -.
- Note that the characters '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`"
+ Specifically, it escapes the following characters: #, $, &, *, +, ., ?, ^, `, |, ~, :, (, ), [, ], and -.
+ Note that the characters '!', '"', '%', "'", ',', '/', ';', '<', '=', '>', '@', and "`"
are not escaped.
Args:
@@ -611,8 +611,9 @@ def escape_regex(text):
# We could use re.escape(), but it escapes too many characters, including plain white space.
# In python 3.7 the set of characters escaped by re.escape is reasonable, so lets mimic it.
# See https://docs.python.org/3/library/re.html#re.sub
- # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped.
- return re.sub(r"([#$&*+.^`|~:()\[\]-])", r"\\\1", text)
+ # '!', '"', '%', "'", ',', '/', ';', '<', '=', '>', '@', and "`" are not escaped.
+ # '?' must be escaped; otherwise plain-text questions become regex quantifiers.
+ return re.sub(r"([#$&*+.?^`|~:()\[\]-])", r"\\\1", text)
def escape_id(text):