➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2020-09-04 09:47 by yetingli, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| purge.py | yetingli, 2020-09-04 09:47 | |||
| purge.py | Pixmew, 2020-11-05 15:26 | |||
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 23166 | merged | Pixmew, 2020-11-05 15:48 | |
| PR 23191 | closed | Pixmew, 2020-11-07 15:20 | |
| PR 23287 | closed | Pixmew, 2020-11-14 17:38 | |
| Messages (8) | |||
|---|---|---|---|
| msg376343 - (view) | Author: yeting li (yetingli) * | Date: 2020-09-04 09:47 | |
I find this regex "(\d+\.\d+\.\d+)(\w+\d+)?$" may be stucked by input. The vulnerable regex is located in https://github.com/python/cpython/blob/54a66ade2067c373d31003ad260e1b7d14c81564/Tools/msi/purge.py#L15 The ReDOS vulnerability of the regex is mainly due to the sub-pattern \w+\d+ and can be exploited with the following string "1.1.1"+"1" * 5000 + "!" I think you can limit the input length or fix this regex. For example, you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+ Looking forward for your response! Best, Yeting Li |
|||
| msg376356 - (view) | Author: Serhiy Storchaka (serhiy.storchaka) *  |
Date: 2020-09-04 11:14 | |
Thank you for your report yeting li. The pattern modification looks good to me. Do you mind to create a pull request? |
|||
| msg376377 - (view) | Author: Zachary Ware (zach.ware) * |
Date: 2020-09-04 15:43 | |
Does it matter? This is not a library, it is a script used occasionally by a release manager, called manually, and the only input to the regex is provided via a command-line argument in that manual call. I don't think Steve plans to REDoS himself :) |
|||
| msg376385 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2020-09-04 16:30 | |
I've considered DoSing myself a few times, but then change my mind and just publish the release :) A PR to change it to "(\d+\.\d+\.\d+)([a-zA-Z]+\d+)?$" would be fine, but is not urgent. It certainly doesn't need to be backported, as this is only ever used from master these days. Personally I'd be just as happy closing the issue. I know that the current script works, and there's nothing worse than breaking a release because someone has changed the release scripts without testing them properly. |
|||
| msg380411 - (view) | Author: Yash Shete (Pixmew) * | Date: 2020-11-05 15:01 | |
converted regex from \w+\d+ to ([A-Za-z_]*\d)+ as asked. you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+ and is working fine |
|||
| msg380413 - (view) | Author: Yash Shete (Pixmew) * | Date: 2020-11-05 15:26 | |
Vulnerable regex conditions are removed bpo-41712: Removal of Vulnerable regex conditions Using suggestion ""For example, you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+"" and converted to ([A-za-z_]+\d+) which should Fix the issue of vulnerable regex. Test Result : Working as intended Sorry if this not much this is my first pr to big org |
|||
| msg380601 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2020-11-09 17:38 | |
New changeset 1f73c320e2921605c4963e202f6bdac1ef18f2ce by Yash Shete in branch 'master': bpo-41712: Avoid runaway regex match in upload scripts (GH-23166) https://github.com/python/cpython/commit/1f73c320e2921605c4963e202f6bdac1ef18f2ce |
|||
| msg380610 - (view) | Author: Steve Dower (steve.dower) * |
Date: 2020-11-09 19:14 | |
Thanks Yash for the fix! |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:35 | admin | set | github: 85878 |
| 2020-11-14 17:38:53 | Pixmew | set | pull_requests: + pull_request22179 |
| 2020-11-09 19:14:23 | steve.dower | set | status: open -> closed resolution: fixed messages: + msg380610 stage: patch review -> resolved |
| 2020-11-09 17:38:17 | steve.dower | set | messages: + msg380601 |
| 2020-11-07 15:20:10 | Pixmew | set | pull_requests: + pull_request22094 |
| 2020-11-05 15:48:14 | Pixmew | set | keywords:
+ patch stage: needs patch -> patch review pull_requests: + pull_request22078 |
| 2020-11-05 15:26:11 | Pixmew | set | files:
+ purge.py messages: + msg380413 |
| 2020-11-05 15:03:53 | Pixmew | set | files: - purge.py |
| 2020-11-05 15:01:13 | Pixmew | set | files:
+ purge.py nosy: + Pixmew messages: + msg380411 |
| 2020-09-04 16:30:12 | steve.dower | set | messages:
+ msg376385 versions: - Python 3.8, Python 3.9 |
| 2020-09-04 15:43:43 | zach.ware | set | nosy:
+ paul.moore, tim.golden, zach.ware, steve.dower messages: + msg376377 components: + Installation, Windows, - Library (Lib) type: security -> behavior |
| 2020-09-04 11:14:42 | serhiy.storchaka | set | versions:
+ Python 3.8, Python 3.9 nosy: + serhiy.storchaka messages: + msg376356 keywords: + easy stage: needs patch |
| 2020-09-04 09:47:22 | yetingli | create | |