Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.4k
gh-123067: Denial of Service Vulnerability inhttp.cookies._unquote()#123066
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
ghost commentedAug 16, 2024 • edited by ghost
Loading Uh oh!
There was an error while loading.Please reload this page.
edited by ghost
Uh oh!
There was an error while loading.Please reload this page.
All commit authors signed the Contributor License Agreement. |
Most changes to Pythonrequire a NEWS entry. Add one using theblurb_it web app or theblurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
ch4n3-yoon commentedAug 16, 2024
Oh, I'm sorry for missing to create an issue. |
http.cookies._unquote()http.cookies._unquote()Most changes to Pythonrequire a NEWS entry. Add one using theblurb_it web app or theblurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
sethmlarson commentedAug 16, 2024
@ch4n3-yoon Can you create a news entry for this change with blurb? |
| j=o_match.start(0) | ||
| ifq_match: | ||
| k=q_match.start(0) | ||
| ifq_matchand (noto_matchork<j):# QuotePatt matched |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This appears to be removing all backslashes from the cookie, where the new behavior is only removing backslashes in front of quotes. Is that what we're expecting to change with this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
From reading the RFC, I think we should preserve the original behavior of unquoting all single-character preceded by a backslash. If you agree, can we add a test case that ensures this behavior is preserved.
serhiy-storchaka left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
_quate() can produce not only\", but also\\.
Both octal encoding and simple backslash-escaping should be handled at the same pass. Your code produces incorrect value for\134\042.
I created an alternative PR#123075 which handles such cases correctly and has some tests.
picnixz commentedAug 17, 2024
Closing since#123075 was considered instead. |
Uh oh!
There was an error while loading.Please reload this page.
Summary
Refactor and improve the
_unquote()method inhttp.cookiesto address the performance issues identified inCVE-2024-7592, enhancing the handling of escape sequences to prevent potential DoS vulnerabilities.Changes
Context
This update comes after the Django team acknowledged the potential for a DoS vulnerability within their use of the
http.cookiesmodule. The vulnerability has been formally reservedCVE-2024-7592.Please review these changes and provide your feedback.
http.cookies._unquote()#123067