fix http.cookies: replace backtracking regex with linear-time pattern to prevent ReDoS#149042
Closed
AmSach wants to merge 3 commits intopython:mainfrom
Closed
fix http.cookies: replace backtracking regex with linear-time pattern to prevent ReDoS#149042AmSach wants to merge 3 commits intopython:mainfrom
AmSach wants to merge 3 commits intopython:mainfrom
Conversation
…-delete bug (pythongh-149015) When multiple breakpoints share the same (filename, line), iterating the list directly while calling deleteMe() (which removes from the same list) causes the loop to skip alternate elements, leaving floor(N/2) orphan breakpoints. The fix (for bp in blist: → for bp in blist[:]:) matches the existing defensive pattern already used in clear_break() in the same file. Added regression test test_clear_all_file_breaks_with_multiple_bps_same_line.
…time pattern to prevent ReDoS (closes pythongh-149028)
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
Contributor
KowalskiThomas
left a comment
KowalskiThomas
left a comment
There was a problem hiding this comment.
FYI, I don't think we should make a fix PR until we have converged to an accepted fix on the original issue.
Member
|
Don't open PRs when we didn't reach a consensus. And read the devguide please especially https://devguide.python.org/getting-started/generative-ai/. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #149028
Summary
Security fix: Replace the vulnerable regex pattern in SimpleCookie parsing that allowed ReDoS (Regular Expression Denial of Service) attacks.
The Problem
The original regex:
This caused exponential backtracking on adversarial cookie payloads. A crafted cookie payload could cause parsing to take 16+ seconds (see issue for full reproducer).
The Fix
Replaced with a linear-time pattern:
This matches any sequence of non-quote, non-backslash characters — no backtracking, no exponential behavior.
Impact
Testing
The original issue's reproducer was used to confirm the fix works before and after the change.