Message 314187 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	ghi5107
Recipients	ezio.melotti, ghi5107, mrabarnett
Date	2018-03-21.06:28:14
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1521613695.07.0.467229070634.issue33113@psf.upfronthosting.co.za>
In-reply-to

Content
I found a issue in regex (findall search)function, when seaching some content by some pattern, the function return for a long long time, match performance is very low. I think this issue could lead to too low query performance, or a attacker may exploit the issue to cause a denail of service condition. system: python 2.7.14 regex(2018.2.21) poc: import re pat = r'^(\(?[\w\d\-\.\\]{3,}\\|?){1,}[\w\d\-\.\\]{3,}\)?$' #plaintext content content = r'(ftp\x3a\x2f\x2f\|http\x3a\x2f\x2f\|https\x3a\x2f\x2f\|c\x3a\x2f\x2f\|d\x3a\x2f\x2f\|e\x3a\x2f\x2f)a' result = re.findall(pat, content) print result

I found a issue in regex (findall search)function, when seaching some content by some pattern, the function return for a long long time, match performance is very low.
I think this issue could lead to too low query performance, or a attacker may exploit the issue to cause a denail of service condition.


system:  python 2.7.14  regex(2018.2.21)
poc:

import re
pat = r'^(\(?[\w\d\-\.\\]{3,}\|?){1,}[\w\d\-\.\\]{3,}\)?$'
#plaintext content
content = r'(ftp\x3a\x2f\x2f|http\x3a\x2f\x2f|https\x3a\x2f\x2f|c\x3a\x2f\x2f|d\x3a\x2f\x2f|e\x3a\x2f\x2f)a'
result = re.findall(pat, content)
print result

History
Date	User	Action	Args
2018-03-21 06:28:15	ghi5107	set	recipients: + ghi5107, ezio.melotti, mrabarnett
2018-03-21 06:28:15	ghi5107	set	messageid: <1521613695.07.0.467229070634.issue33113@psf.upfronthosting.co.za>
2018-03-21 06:28:14	ghi5107	link	issue33113 messages
2018-03-21 06:28:14	ghi5107	create