Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.3k
Description
Bug report
Bug description:
Description
A potential Denial of Service (DoS) vulnerability, identified asCVE-2024-7592, has been discovered in the_unquote() method of thehttp.cookies module in Python's standard library. This vulnerability is particularly concerning as it affects frameworks that utilize this method, including Django.
Vulnerable Code
The_unquote() function uses regular expressions_OctalPatt and_QuotePatt within a while loop to process input strings. The problematic patterns and their application can lead to exponential time complexity under certain conditions, akin to a Regular Expression Denial of Service (ReDoS) attack.
# http/cookies.py_OctalPatt=re.compile(r"\\[0-3][0-7][0-7]")_QuotePatt=re.compile(r"[\\].")def_unquote(str):# ... (code omitted for brevity)while0<=i<n:o_match=_OctalPatt.search(str,i)q_match=_QuotePatt.search(str,i)# ... (further processing)
Impact
This vulnerability has also been verified in the Django framework, where theparse_cookie() function uses this method to process incoming cookie headers. This could potentially be exploited by sending specially crafted cookie values to trigger significant delays:
- Cookie sizes of 8000+ bytes caused delays of approximately 0.15 seconds per HTTP request.
- Cookie sizes of 20000+ bytes resulted in delays of about 1 second per request.
While many environments limit HTTP request sizes, the specific limits vary, and in some cases, this vulnerability could be exploited.
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Linked PRs
- gh-123067: Denial of Service Vulnerability in
http.cookies._unquote()#123066 - gh-123067: Fix quadratic complexity in parsing cookies with backslashes #123075
- [3.13] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123103
- [3.12] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123104
- [3.11] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123105
- [3.10] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123106
- [3.9] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123107
- [3.8] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123108