Issue 32997: Catastrophic backtracking in fpformat

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/77178

classification

Title:	Catastrophic backtracking in fpformat
Type:	security	Stage:	resolved
Components:	Library (Lib)	Versions:	Python 2.7

process

Status:	closed	Resolution:	fixed
Dependencies:		Superseder:
Assigned To:		Nosy List:	benjamin.peterson, davisjam, serhiy.storchaka
Priority:	normal	Keywords:	patch

Created on 2018-03-05 15:12 by davisjam, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Pull Requests
URL	Status	Linked	Edit
PR 5984	merged	davisjam, 2018-03-05 15:37

Messages (4)
msg313249 - (view)	Author: James Davis (davisjam) *	Date: 2018-03-05 15:12
The decoder regex used to parse numbers in the fpformat module is vulnerable to catastrophic backtracking. '^([-+]?)0(\d)((?:\.\d)?)(([eE][-+]?\d+)?)$' The substructure '0(\d*)' is quadratic. An attack string like '+000....0++' blows up. There is a risk of DOS (REDOS) if a web app uses this module to format untrusted strings.
msg313265 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) *	Date: 2018-03-05 16:41
Wouldn't be easier to remove '0*' from the pattern? 0s could be stripped later by .lstrip('0').
msg313268 - (view)	Author: James Davis (davisjam) *	Date: 2018-03-05 16:51
Equivalent, probably cleaner. Comment on the PR if you want a change.
msg313307 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2018-03-06 05:59
New changeset 55d5bfba9482d39080f7b9ec3e6257ecd23f264f by Benjamin Peterson (Jamie Davis) in branch '2.7': [2.7] closes bpo-32997: Fix REDOS in fpformat (GH-5984) https://github.com/python/cpython/commit/55d5bfba9482d39080f7b9ec3e6257ecd23f264f

History
Date	User	Action	Args
2022-04-11 14:58:58	admin	set	github: 77178
2018-03-06 05:59:05	benjamin.peterson	set	status: open -> closed nosy: + benjamin.peterson messages: + msg313307 resolution: fixed stage: patch review -> resolved
2018-03-05 16:51:24	davisjam	set	messages: + msg313268
2018-03-05 16:41:42	serhiy.storchaka	set	nosy: + serhiy.storchaka messages: + msg313265
2018-03-05 15:37:24	davisjam	set	keywords: + patch stage: patch review pull_requests: + pull_request5750
2018-03-05 15:12:47	davisjam	create