[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler
STINNER Victor
report at bugs.python.org
Wed Apr 1 20:44:09 EDT 2020
STINNER Victor <vstinner at python.org> added the comment:
Ooooh, I see. I didn't measure the performance of the right header. I re-run a benchmark using the HTTP header (repeat=15):
header = 'Basic ' + ', ' * 15 + 'A'
Now I see a major performance difference. Comparison between master ("ref") and PR 18284 ("fix"):
Mean +- std dev: [ref] 88.9 ms +- 2.4 ms -> [fix] 17.5 us +- 0.7 us: 5083.23x faster (-100%)
So the worst case is now way faster: more than 5000x faster!
It's even possible to go up to repeat=10**6 characters, it still takes less than 1 seconds: 412 ms +- 19 ms.
On the master branch, repeat=20 already takes around 3 seconds... The slowdown is exponential with repeat increase.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue39503>
_______________________________________
More information about the Python-bugs-list
mailing list