Message 385974 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	yetingli
Recipients	yetingli
Date	2021-01-30.08:11:46
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1611994306.46.0.333529770265.issue43075@roundup.psfhosted.org>
In-reply-to

Content
Hi, I find this regex '(?:^\|,)[ \t]([^ \t]+)[ \t]+' may be stucked by input. The vulnerable regex is located in https://github.com/python/cpython/blob/5c5a938573ce665f00e362c7766912d9b3f3b44e/Lib/urllib/request.py#L946 The ReDOS vulnerability of the regex is mainly due to the sub-pattern ',([^ \t]+)' and can be exploited with the following string attack_str = "," 10000 You can execute redos_python.py to reproduce the ReDos vulnerability. I am willing to suggest that you replace '(?:^\|,)[ \t]([^ \t]+)[ \t]+' with '(?:^\|,)[ \t]([^ \t,]+)[ \t]+' Looking forward for your response! Best, Yeting Li

Hi,

I find this regex '(?:^|,)[ \t]*([^ \t]+)[ \t]+' may be stucked by input.

The vulnerable regex is located in https://github.com/python/cpython/blob/5c5a938573ce665f00e362c7766912d9b3f3b44e/Lib/urllib/request.py#L946

The ReDOS vulnerability of the regex is mainly due to the sub-pattern ',([^ \t]+)' and can be exploited with the following string
attack_str = "," * 10000

You can execute redos_python.py to reproduce the ReDos vulnerability.


I am willing to suggest that you replace '(?:^|,)[ \t]*([^ \t]+)[ \t]+' with '(?:^|,)[ \t]*([^ \t,]+)[ \t]+'

Looking forward for your response!

Best,
Yeting Li

History
Date	User	Action	Args
2021-01-30 08:11:46	yetingli	set	recipients: + yetingli
2021-01-30 08:11:46	yetingli	set	messageid: <1611994306.46.0.333529770265.issue43075@roundup.psfhosted.org>
2021-01-30 08:11:46	yetingli	link	issue43075 messages
2021-01-30 08:11:46	yetingli	create