[New-bugs-announce] [issue33113] Query performance is very low and can even lead to denial of service
guohui
report at bugs.python.org
Wed Mar 21 02:28:15 EDT 2018
New submission from guohui <ghi5107 at 126.com>:
I found a issue in regex (findall search)function, when seaching some content by some pattern, the function return for a long long time, match performance is very low.
I think this issue could lead to too low query performance, or a attacker may exploit the issue to cause a denail of service condition.
system: python 2.7.14 regex(2018.2.21)
poc:
import re
pat = r'^(\(?[\w\d\-\.\\]{3,}\|?){1,}[\w\d\-\.\\]{3,}\)?$'
#plaintext content
content = r'(ftp\x3a\x2f\x2f|http\x3a\x2f\x2f|https\x3a\x2f\x2f|c\x3a\x2f\x2f|d\x3a\x2f\x2f|e\x3a\x2f\x2f)a'
result = re.findall(pat, content)
print result
----------
components: Regular Expressions
files: test_performance.py
messages: 314187
nosy: ezio.melotti, ghi5107, mrabarnett
priority: normal
severity: normal
status: open
title: Query performance is very low and can even lead to denial of service
type: security
versions: Python 2.7
Added file: https://bugs.python.org/file47495/test_performance.py
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue33113>
_______________________________________
More information about the New-bugs-announce
mailing list