Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092)#99222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
gpshead merged 3 commits intopython:3.11frommiss-islington:backport-d315722-3.11
Nov 8, 2022

Conversation

miss-islington
Copy link
Contributor

@miss-islingtonmiss-islington commentedNov 8, 2022
edited by gpshead
Loading

There was an unnecessary quadratic loop in idna decoding. This restores
the behavior to linear.

(cherry picked from commitd315722)

Co-authored-by: Gregory P. Smithgreg@krypto.org

There was an unnecessary quadratic loop in idna decoding. This restoresthe behavior to linear.This also adds an early length check in IDNA decoding to outright rejecthuge inputs early on given the ultimate result is defined to be 63 or fewercharacters.(cherry picked from commitd315722)Co-authored-by: Gregory P. Smith <greg@krypto.org>
While I don't think anyone should have reasonable code depending onunbounded strings full of Nothing characters to silently be removedduring idna decoding... this is the conservative choice for a bugfixbackport.
@gpshead
Copy link
Member

I went with the conservative choice of not adding the upfront length check in the backports. The quadratic algorithm fix remains.

Manually inspecting Lib/encoding/punycode.py codec implementation, that looked to me like an O(NlogN) algorithm at worse for decoding, so not really a denial of service concern itself. If anyone disagrees, feel free to open a new issue with a demonstration.

@gpshead
Copy link
Member

i'm using the no-not-merge label to prevent automerge so i can manually edit the commit message.

@gpsheadgpshead self-assigned thisNov 8, 2022
@gpsheadgpshead merged commita6f6c3a intopython:3.11Nov 8, 2022
@miss-islington
Copy link
ContributorAuthor

Thanks@miss-islington for the PR, and@gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.7, 3.8, 3.9, 3.10.
🐍🍒⛏🤖

@miss-islingtonmiss-islington deleted the backport-d315722-3.11 branchNovember 8, 2022 02:57
@bedevere-bot
Copy link

GH-99229 is a backport of this pull request to the3.10 branch.

@bedevere-botbedevere-bot removed the needs backport to 3.10only security fixes labelNov 8, 2022
@bedevere-bot
Copy link

GH-99230 is a backport of this pull request to the3.9 branch.

@bedevere-botbedevere-bot removed the needs backport to 3.9only security fixes labelNov 8, 2022
miss-islington added a commit to miss-islington/cpython that referenced this pull requestNov 8, 2022
) (pythonGH-99222)There was an unnecessary quadratic loop in idna decoding. This restoresthe behavior to linear.(cherry picked from commitd315722)(cherry picked from commita6f6c3a)Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-bot
Copy link

GH-99231 is a backport of this pull request to the3.8 branch.

@bedevere-bot
Copy link

GH-99232 is a backport of this pull request to the3.7 branch.

miss-islington added a commit to miss-islington/cpython that referenced this pull requestNov 8, 2022
) (pythonGH-99222)There was an unnecessary quadratic loop in idna decoding. This restoresthe behavior to linear.(cherry picked from commitd315722)(cherry picked from commita6f6c3a)Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-bot
Copy link

GH-99229 is a backport of this pull request to the3.10 branch.

@bedevere-bot
Copy link

GH-99230 is a backport of this pull request to the3.9 branch.

miss-islington added a commit to miss-islington/cpython that referenced this pull requestNov 8, 2022
) (pythonGH-99222)There was an unnecessary quadratic loop in idna decoding. This restoresthe behavior to linear.(cherry picked from commitd315722)(cherry picked from commita6f6c3a)Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-bot
Copy link

GH-99231 is a backport of this pull request to the3.8 branch.

@bedevere-bot
Copy link

GH-99232 is a backport of this pull request to the3.7 branch.

miss-islington added a commit that referenced this pull requestNov 8, 2022
There was an unnecessary quadratic loop in idna decoding. This restoresthe behavior to linear.(cherry picked from commitd315722)(cherry picked from commita6f6c3a)Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>Co-authored-by: Gregory P. Smith <greg@krypto.org>
ambv pushed a commit that referenced this pull requestNov 10, 2022
… (GH-99231)There was an unnecessary quadratic loop in idna decoding. This restoresthe behavior to linear.(cherry picked from commitd315722)(cherry picked from commita6f6c3a)Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>Co-authored-by: Gregory P. Smith <greg@krypto.org>
ambv pushed a commit that referenced this pull requestNov 10, 2022
… (#99230)There was an unnecessary quadratic loop in idna decoding. This restoresthe behavior to linear.(cherry picked from commitd315722)(cherry picked from commita6f6c3a)Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>Co-authored-by: Gregory P. Smith <greg@krypto.org>
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@gpsheadgpsheadgpshead approved these changes

Assignees

@gpsheadgpshead

Labels
type-bugAn unexpected behavior, bug, or errortype-securityA security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

3 participants
@miss-islington@gpshead@bedevere-bot
[8]ページ先頭
©2009-2025 Movatter.jp