Staging
v0.5.1
v0.5.1
https://github.com/python/cpython
Revision c9516754067d71fd7429a25ccfcb2141fc583523 authored by Benjamin Peterson on 04 March 2018, 06:59:12 UTC, committed by GitHub on 04 March 2018, 06:59:12 UTC
* Prevent low-grade poplib REDOS (CVE-2018-1060) The regex to test a mail server's timestamp is susceptible to catastrophic backtracking on long evil responses from the server. Happily, the maximum length of malicious inputs is 2K thanks to a limit introduced in the fix for CVE-2013-1752. A 2KB evil response from the mail server would result in small slowdowns (milliseconds vs. microseconds) accumulated over many apop calls. This is a potential DOS vector via accumulated slowdowns. Replace it with a similar non-vulnerable regex. The new regex is RFC compliant. The old regex was non-compliant in edge cases. * Prevent difflib REDOS (CVE-2018-1061) The default regex for IS_LINE_JUNK is susceptible to catastrophic backtracking. This is a potential DOS vector. Replace it with an equivalent non-vulnerable regex. Also introduce unit and REDOS tests for difflib. Co-authored-by: Tim Peters <tim.peters@gmail.com> Co-authored-by: Christian Heimes <christian@python.org>. (cherry picked from commit 0e6c8ee2358a2e23117501826c008842acb835ac)
1 parent bd92cfe
Tip revision: c9516754067d71fd7429a25ccfcb2141fc583523 authored by Benjamin Peterson on 04 March 2018, 06:59:12 UTC
[3.6] bpo-32981: Fix catastrophic backtracking vulns (GH-5955)
[3.6] bpo-32981: Fix catastrophic backtracking vulns (GH-5955)
Tip revision: c951675
.gitattributes
# Binary data types
*.aif binary
*.aifc binary
*.aiff binary
*.au binary
*.bmp binary
*.exe binary
*.icns binary
*.gif binary
*.ico binary
*.jpg binary
*.pck binary
*.png binary
*.psd binary
*.tar binary
*.wav binary
*.whl binary
*.zip binary
# Specific binary files
Lib/test/sndhdrdata/sndhdr.* binary
# Text files that should not be subject to eol conversion
Lib/test/cjkencodings/* -text
Lib/test/decimaltestdata/*.decTest -text
Lib/test/test_email/data/*.txt -text
Lib/test/xmltestdata/* -text
Lib/test/coding20731.py -text
# Special files in third party code
Modules/zlib/zlib.map -text
# CRLF files
*.bat text eol=crlf
*.ps1 text eol=crlf
*.sln text eol=crlf
*.vcxproj* text eol=crlf
*.props text eol=crlf
*.proj text eol=crlf
PCbuild/readme.txt text eol=crlf
PC/readme.txt text eol=crlf
![swh spinner](/static/img/swh-spinner.gif)
Computing file changes ...