mirror of
https://git.yoctoproject.org/poky
synced 2026-02-05 08:18:43 +01:00
9541ad9650
There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module. When parsing cookies that contained
backslashes for quoted characters in the cookie value, the parser would use
an algorithm with quadratic complexity, resulting in excess CPU resources
being used while parsing the value.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-7592
Upstream-Patch:
dcc3eaef98
(From OE-Core rev: 3bb9684eef5227e7b1280ee9051884310b0d0b7f)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
144 lines
5.0 KiB
Diff
144 lines
5.0 KiB
Diff
From dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1 Mon Sep 17 00:00:00 2001
|
|
From: "Miss Islington (bot)"
|
|
<31488909+miss-islington@users.noreply.github.com>
|
|
Date: Sun, 25 Aug 2024 00:37:11 +0200
|
|
Subject: [PATCH] gh-123067: Fix quadratic complexity in parsing "-quoted
|
|
cookie values with backslashes (GH-123075) (#123104)
|
|
|
|
gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075)
|
|
|
|
This fixes CVE-2024-7592.
|
|
(cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef)
|
|
|
|
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
|
|
|
CVE: CVE-2024-7592
|
|
|
|
Upstream-Status: Backport [https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1]
|
|
|
|
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
|
|
---
|
|
Lib/http/cookies.py | 34 ++++-------------
|
|
Lib/test/test_http_cookies.py | 38 +++++++++++++++++++
|
|
...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | 1 +
|
|
3 files changed, 47 insertions(+), 26 deletions(-)
|
|
create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
|
|
|
|
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
|
|
index 35ac2dc..2c1f021 100644
|
|
--- a/Lib/http/cookies.py
|
|
+++ b/Lib/http/cookies.py
|
|
@@ -184,8 +184,13 @@ def _quote(str):
|
|
return '"' + str.translate(_Translator) + '"'
|
|
|
|
|
|
-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
|
|
-_QuotePatt = re.compile(r"[\\].")
|
|
+_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub
|
|
+
|
|
+def _unquote_replace(m):
|
|
+ if m[1]:
|
|
+ return chr(int(m[1], 8))
|
|
+ else:
|
|
+ return m[2]
|
|
|
|
def _unquote(str):
|
|
# If there aren't any doublequotes,
|
|
@@ -205,30 +210,7 @@ def _unquote(str):
|
|
# \012 --> \n
|
|
# \" --> "
|
|
#
|
|
- i = 0
|
|
- n = len(str)
|
|
- res = []
|
|
- while 0 <= i < n:
|
|
- o_match = _OctalPatt.search(str, i)
|
|
- q_match = _QuotePatt.search(str, i)
|
|
- if not o_match and not q_match: # Neither matched
|
|
- res.append(str[i:])
|
|
- break
|
|
- # else:
|
|
- j = k = -1
|
|
- if o_match:
|
|
- j = o_match.start(0)
|
|
- if q_match:
|
|
- k = q_match.start(0)
|
|
- if q_match and (not o_match or k < j): # QuotePatt matched
|
|
- res.append(str[i:k])
|
|
- res.append(str[k+1])
|
|
- i = k + 2
|
|
- else: # OctalPatt matched
|
|
- res.append(str[i:j])
|
|
- res.append(chr(int(str[j+1:j+4], 8)))
|
|
- i = j + 4
|
|
- return _nulljoin(res)
|
|
+ return _unquote_sub(_unquote_replace, str)
|
|
|
|
# The _getdate() routine is used to set the expiration time in the cookie's HTTP
|
|
# header. By default, _getdate() returns the current time in the appropriate
|
|
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
|
|
index 925c869..8879902 100644
|
|
--- a/Lib/test/test_http_cookies.py
|
|
+++ b/Lib/test/test_http_cookies.py
|
|
@@ -5,6 +5,7 @@ import unittest
|
|
import doctest
|
|
from http import cookies
|
|
import pickle
|
|
+from test import support
|
|
|
|
|
|
class CookieTests(unittest.TestCase):
|
|
@@ -58,6 +59,43 @@ class CookieTests(unittest.TestCase):
|
|
for k, v in sorted(case['dict'].items()):
|
|
self.assertEqual(C[k].value, v)
|
|
|
|
+ def test_unquote(self):
|
|
+ cases = [
|
|
+ (r'a="b=\""', 'b="'),
|
|
+ (r'a="b=\\"', 'b=\\'),
|
|
+ (r'a="b=\="', 'b=='),
|
|
+ (r'a="b=\n"', 'b=n'),
|
|
+ (r'a="b=\042"', 'b="'),
|
|
+ (r'a="b=\134"', 'b=\\'),
|
|
+ (r'a="b=\377"', 'b=\xff'),
|
|
+ (r'a="b=\400"', 'b=400'),
|
|
+ (r'a="b=\42"', 'b=42'),
|
|
+ (r'a="b=\\042"', 'b=\\042'),
|
|
+ (r'a="b=\\134"', 'b=\\134'),
|
|
+ (r'a="b=\\\""', 'b=\\"'),
|
|
+ (r'a="b=\\\042"', 'b=\\"'),
|
|
+ (r'a="b=\134\""', 'b=\\"'),
|
|
+ (r'a="b=\134\042"', 'b=\\"'),
|
|
+ ]
|
|
+ for encoded, decoded in cases:
|
|
+ with self.subTest(encoded):
|
|
+ C = cookies.SimpleCookie()
|
|
+ C.load(encoded)
|
|
+ self.assertEqual(C['a'].value, decoded)
|
|
+
|
|
+ @support.requires_resource('cpu')
|
|
+ def test_unquote_large(self):
|
|
+ n = 10**6
|
|
+ for encoded in r'\\', r'\134':
|
|
+ with self.subTest(encoded):
|
|
+ data = 'a="b=' + encoded*n + ';"'
|
|
+ C = cookies.SimpleCookie()
|
|
+ C.load(data)
|
|
+ value = C['a'].value
|
|
+ self.assertEqual(value[:3], 'b=\\')
|
|
+ self.assertEqual(value[-2:], '\\;')
|
|
+ self.assertEqual(len(value), n + 3)
|
|
+
|
|
def test_load(self):
|
|
C = cookies.SimpleCookie()
|
|
C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
|
|
diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
|
|
new file mode 100644
|
|
index 0000000..6a23456
|
|
--- /dev/null
|
|
+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
|
|
@@ -0,0 +1 @@
|
|
+Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`.
|
|
--
|
|
2.40.0
|