Skip to content

gh-123067: Denial of Service Vulnerability in http.cookies._unquote() #123066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

gh-123067: Denial of Service Vulnerability in http.cookies._unquote() #123066

wants to merge 1 commit into from

Conversation

@ch4n3-yoon
Copy link

@ch4n3-yoon ch4n3-yoon commented Aug 16, 2024
edited by bedevere-app bot
Loading

Summary

Refactor and improve the _unquote() method in http.cookies to address the performance issues identified in CVE-2024-7592, enhancing the handling of escape sequences to prevent potential DoS vulnerabilities.

Changes

  • Updated regex patterns to optimize matching and substitution.
  • Removed inefficient loop constructs, replacing them with a streamlined regex substitution process.

Context

This update comes after the Django team acknowledged the potential for a DoS vulnerability within their use of the http.cookies module. The vulnerability has been formally reserved CVE-2024-7592.

Please review these changes and provide your feedback.
@ghost
Copy link

ghost commented Aug 16, 2024
edited by ghost
Loading

All commit authors signed the Contributor License Agreement.
CLA signed
@bedevere-app
Copy link

bedevere-app bot commented Aug 16, 2024

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.
@ch4n3-yoon ch4n3-yoon closed this Aug 16, 2024
@ch4n3-yoon
Copy link
Author

ch4n3-yoon commented Aug 16, 2024

Oh, I'm sorry for missing to create an issue.
@ch4n3-yoon ch4n3-yoon changed the title CVE-2024-7592: Denial of Service Vulnerability in http.cookies._unquote() gh-123067: Denial of Service Vulnerability in http.cookies._unquote() Aug 16, 2024
@bedevere-app bedevere-app bot mentioned this pull request Aug 16, 2024
Closed
@ch4n3-yoon ch4n3-yoon reopened this Aug 16, 2024
@bedevere-app
Copy link

bedevere-app bot commented Aug 16, 2024

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.
@sethmlarson sethmlarson added the type-security A security issue label Aug 16, 2024
@picnixz picnixz added needs backport to 3.8 needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Aug 16, 2024
@sethmlarson
Copy link
Contributor

sethmlarson commented Aug 16, 2024

@ch4n3-yoon Can you create a news entry for this change with blurb?
sethmlarson
sethmlarson reviewed Aug 16, 2024
View reviewed changes
Lib/http/cookies.py
j = o_match.start(0)
if q_match:
k = q_match.start(0)
if q_match and (not o_match or k < j): # QuotePatt matched
Copy link
Contributor

@sethmlarson sethmlarson Aug 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This appears to be removing all backslashes from the cookie, where the new behavior is only removing backslashes in front of quotes. Is that what we're expecting to change with this PR?
Copy link
Contributor

@sethmlarson sethmlarson Aug 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From reading the RFC, I think we should preserve the original behavior of unquoting all single-character preceded by a backslash. If you agree, can we add a test case that ensures this behavior is preserved.
serhiy-storchaka
serhiy-storchaka reviewed Aug 16, 2024
View reviewed changes
Copy link
Member

@serhiy-storchaka serhiy-storchaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

_quate() can produce not only \", but also \\.

Both octal encoding and simple backslash-escaping should be handled at the same pass. Your code produces incorrect value for \134\042.

I created an alternative PR #123075 which handles such cases correctly and has some tests.
@picnixz
Copy link
Member

picnixz commented Aug 17, 2024

Closing since #123075 was considered instead.
@picnixz picnixz closed this Aug 17, 2024
@picnixz picnixz removed type-security A security issue needs backport to 3.8 needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Aug 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

awaiting review

4 participants

@ch4n3-yoon @sethmlarson @picnixz @serhiy-storchaka