Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork32k
Closed
Description
Bug report
Originally reported to the security address on September 9.
('xn--016c'+'a'*5000).encode('utf-8').decode('idna')
The execution time is not linear in relation to the input string size, which can cause slowness with large inputs:
10 chars = 0.016 seconds
100 chars = 0.047 seconds
1000 chars = 2.883 seconds
2500 chars = 17.724 seconds
5000 chars = 1 min 10 seconds
Comment by@tiran:
According to spechttps://unicode.org/reports/tr46/ an IDNA label must not be longer than 63 characters. Python's idna module enforces the restriction, but too late.
This may be abused in some cases, for example by passing a crafted host name toasyncio create_connection:
importasyncioasyncdefmain():loop=asyncio.get_running_loop()awaitloop.create_connection(lambda: [], ('xn--016c'+'a'*5000).encode('utf-8'),443 )asyncio.run(main())
Your environment
- CPython versions tested on: CPython repository 'main' branch checkout, version 3.8.12, version 2.7.18
- Operating system and architecture: Ubuntu Linux x64