Commit55d5bfb

davisjam

authored and

benjaminp

committed

[2.7] closes bpo-32997: Fix REDOS in fpformat (pythonGH-5984)

The regex to decode a number in fpformat is susceptible to catastrophic backtracking. This is a potential DOS vector if a server is using fpformat on untrusted number strings.Replace it with an equivalent non-vulnerable regex. The match behavior of the new regex is slightly different. It captures the whole integer part of the number in one group, Leading zeros are stripped off later.

1 parente052d40 commit55d5bfbCopy full SHA for 55d5bfb

File tree

3 files changed

+16

-1

lines changed

Lib
- fpformat.py
- test
  - test_fpformat.py
Misc/NEWS.d/next/Security
- 2018-03-05-10-14-42.bpo-32997.hp2s8n.rst

3 files changed

+16

-1

lines changed

`‎Lib/fpformat.py‎`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@`
`19`	`19`	`__all__= ["fix","sci","NotANumber"]`
`20`	`20`
`21`	`21`	`# Compiled regular expression to "decode" a number`
`22`		`-decoder=re.compile(r'^([-+]?)0(\d)((?:\.\d*)?)(([eE][-+]?\d+)?)$')`
	`22`	`+decoder=re.compile(r'^([-+]?)(\d)((?:\.\d)?)(([eE][-+]?\d+)?)$')`
`23`	`23`	`# \0 the whole thing`
`24`	`24`	`# \1 leading sign or empty`
`25`	`25`	`# \2 digits left of decimal point`
`@@ -41,6 +41,7 @@ def extract(s):`
`41`	`41`	`res=decoder.match(s)`
`42`	`42`	`ifresisNone:raiseNotANumber,s`
`43`	`43`	`sign,intpart,fraction,exppart=res.group(1,2,3,4)`
	`44`	`+intpart=intpart.lstrip('0');`
`44`	`45`	`ifsign=='+':sign=''`
`45`	`46`	`iffraction:fraction=fraction[1:]`
`46`	`47`	`ifexppart:expo=int(exppart[1:])`

`‎Lib/test/test_fpformat.py‎`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,16 @@ def test_failing_values(self):`
`67`	`67`	`else:`
`68`	`68`	`self.fail("No exception on non-numeric sci")`
`69`	`69`
	`70`	`+deftest_REDOS(self):`
	`71`	`+# This attack string will hang on the old decoder pattern.`
	`72`	`+attack='+0'+ ('0'*1000000)+'++'`
	`73`	`+digs=5# irrelevant`
	`74`	`+`
	`75`	`+# fix returns input if it does not decode`
	`76`	`+self.assertEqual(fpformat.fix(attack,digs),attack)`
	`77`	`+# sci raises NotANumber`
	`78`	`+withself.assertRaises(NotANumber):`
	`79`	`+fpformat.sci(attack,digs)`
`70`	`80`
`71`	`81`	`deftest_main():`
`72`	`82`	`run_unittest(FpformatTest)`

`‎Misc/NEWS.d/next/Security/2018-03-05-10-14-42.bpo-32997.hp2s8n.rst‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,4 @@`
	`1`	`+A regex in fpformat was vulnerable to catastrophic backtracking. This regex`
	`2`	`+was a potential DOS vector (REDOS). Based on typical uses of fpformat the`
	`3`	`+risk seems low. The regex has been refactored and is now safe. Patch by`
	`4`	`+Jamie Davis.`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit55d5bfb

File tree

3 files changed

3 files changed

`‎Lib/fpformat.py‎`

`‎Lib/test/test_fpformat.py‎`

`‎Misc/NEWS.d/next/Security/2018-03-05-10-14-42.bpo-32997.hp2s8n.rst‎`

0 commit comments