[New-bugs-announce] [issue43075] ReDoS in request
yeting li
report at bugs.python.org
Sat Jan 30 03:11:46 EST 2021
New submission from yeting li <liyt at ios.ac.cn>:
Hi,
I find this regex '(?:^|,)[ \t]*([^ \t]+)[ \t]+' may be stucked by input.
The vulnerable regex is located in https://github.com/python/cpython/blob/5c5a938573ce665f00e362c7766912d9b3f3b44e/Lib/urllib/request.py#L946
The ReDOS vulnerability of the regex is mainly due to the sub-pattern ',([^ \t]+)' and can be exploited with the following string
attack_str = "," * 10000
You can execute redos_python.py to reproduce the ReDos vulnerability.
I am willing to suggest that you replace '(?:^|,)[ \t]*([^ \t]+)[ \t]+' with '(?:^|,)[ \t]*([^ \t,]+)[ \t]+'
Looking forward for your response!
Best,
Yeting Li
----------
components: Library (Lib)
files: redos_python.py
messages: 385974
nosy: yetingli
priority: normal
severity: normal
status: open
title: ReDoS in request
versions: Python 3.6, Python 3.7, Python 3.8, Python 3.9
Added file: https://bugs.python.org/file49778/redos_python.py
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue43075>
_______________________________________
More information about the New-bugs-announce
mailing list