CVE-2024-7592: Denial of Service Vulnerability in http.cookies._unquote() #123067
Description
Bug report
Bug description:
Description
A potential Denial of Service (DoS) vulnerability, identified as CVE-2024-7592, has been discovered in the _unquote() method of the http.cookies module in Python's standard library. This vulnerability is particularly concerning as it affects frameworks that utilize this method, including Django.
Vulnerable Code
The _unquote() function uses regular expressions _OctalPatt and _QuotePatt within a while loop to process input strings. The problematic patterns and their application can lead to exponential time complexity under certain conditions, akin to a Regular Expression Denial of Service (ReDoS) attack.
# http/cookies.py _OctalPatt = re.compile(r"\\[0-3][0-7][0-7]") _QuotePatt = re.compile(r"[\\].") def _unquote(str): # ... (code omitted for brevity) while 0 <= i < n: o_match = _OctalPatt.search(str, i) q_match = _QuotePatt.search(str, i) # ... (further processing)Impact
This vulnerability has also been verified in the Django framework, where the parse_cookie() function uses this method to process incoming cookie headers. This could potentially be exploited by sending specially crafted cookie values to trigger significant delays:
- Cookie sizes of 8000+ bytes caused delays of approximately 0.15 seconds per HTTP request.
- Cookie sizes of 20000+ bytes resulted in delays of about 1 second per request.
While many environments limit HTTP request sizes, the specific limits vary, and in some cases, this vulnerability could be exploited.
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Linked PRs
- gh-123067: Denial of Service Vulnerability in
http.cookies._unquote()#123066 - gh-123067: Fix quadratic complexity in parsing cookies with backslashes #123075
- [3.13] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123103
- [3.12] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123104
- [3.11] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123105
- [3.10] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123106
- [3.9] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123107
- [3.8] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123108