NotificationsYou must be signed in to change notification settings
Fork33.4k
Star69.8k

Commit87d3daa

committed

bpo-32997: Fix REDOS in fpformat

The regex to decode a number in fpformat is susceptible tocatastrophic backtracking.This is a potential DOS vector if a server is using fpformat onuntrusted number strings.Replace it with an equivalent non-vulnerable regex.The match behavior of the new regex is slightly different.This difference is addressed with a follow-up check.

1 parent8a7f1f4 commit87d3daaCopy full SHA for 87d3daa

File tree

3 files changed

+17

-1

lines changed

Lib
- fpformat.py
- test
  - test_fpformat.py
Misc/NEWS.d/next/Security
- 2018-03-05-10-14-42.bpo-32997.hp2s8n.rst

3 files changed

+17

-1

lines changed

`‎Lib/fpformat.py‎`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@`
`19`	`19`	`__all__= ["fix","sci","NotANumber"]`
`20`	`20`
`21`	`21`	`# Compiled regular expression to "decode" a number`
`22`		`-decoder=re.compile(r'^([-+]?)0(\d)((?:\.\d*)?)(([eE][-+]?\d+)?)$')`
	`22`	`+decoder=re.compile(r'^([-+]?)0([1-9]\d)?((?:\.\d*)?)(([eE][-+]?\d+)?)$')`
`23`	`23`	`# \0 the whole thing`
`24`	`24`	`# \1 leading sign or empty`
`25`	`25`	`# \2 digits left of decimal point`
`@@ -41,6 +41,8 @@ def extract(s):`
`41`	`41`	`res=decoder.match(s)`
`42`	`42`	`ifresisNone:raiseNotANumber,s`
`43`	`43`	`sign,intpart,fraction,exppart=res.group(1,2,3,4)`
	`44`	`+ifintpartisNone:# ([1-9]\d*)? may match nothing`
	`45`	`+intpart=''`
`44`	`46`	`ifsign=='+':sign=''`
`45`	`47`	`iffraction:fraction=fraction[1:]`
`46`	`48`	`ifexppart:expo=int(exppart[1:])`

`‎Lib/test/test_fpformat.py‎`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,16 @@ def test_failing_values(self):`
`67`	`67`	`else:`
`68`	`68`	`self.fail("No exception on non-numeric sci")`
`69`	`69`
	`70`	`+deftest_REDOS(self):`
	`71`	`+# This attack string will hang on the old decoder pattern.`
	`72`	`+attack='+0'+ ('0'*1000000)+'++'`
	`73`	`+digs=5# irrelevant`
	`74`	`+`
	`75`	`+# fix returns input if it does not decode`
	`76`	`+self.assertEqual(fpformat.fix(attack,digs),attack)`
	`77`	`+# sci raises NotANumber`
	`78`	`+withself.assertRaises(NotANumber):`
	`79`	`+fpformat.sci(attack,digs)`
`70`	`80`
`71`	`81`	`deftest_main():`
`72`	`82`	`run_unittest(FpformatTest)`

`‎Misc/NEWS.d/next/Security/2018-03-05-10-14-42.bpo-32997.hp2s8n.rst‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,4 @@`
	`1`	`+A regex in fpformat was vulnerable to catastrophic backtracking. This regex`
	`2`	`+was a potential DOS vector (REDOS). Based on typical uses of fpformat the`
	`3`	`+risk seems low. The regex has been refactored and is now safe. Patch by`
	`4`	`+Jamie Davis.`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit87d3daa

File tree

3 files changed

3 files changed

`‎Lib/fpformat.py‎`

`‎Lib/test/test_fpformat.py‎`

`‎Misc/NEWS.d/next/Security/2018-03-05-10-14-42.bpo-32997.hp2s8n.rst‎`

0 commit comments