-
-
Notifications
You must be signed in to change notification settings - Fork 32.4k
Description
Bug report
Update
Now, based on the specific location where the problem code appears, it has been re-split into five issues.
- IDLE: Performance issue processing config-extensions.def #136061
- Potential Quadratic Complexity Vulnerabilities in the
email
Module #136063 - Potential Quadratic Complexity Vulnerabilities in
path
Modules #136065 - Un-necessary loglinear complexity in
platform._platform
#136066 - Possible resource exhaustation of
expandvars
inTools/freeze/checkextensions.py
#136073
Bug description:
We have identified a series of simple quadratic complexity vulnerabilities. After confirmation by CPython's security team, since these DOS vulnerabilities pose a low threat and are relatively tedious to exploit, we can directly initiate requests in issues to seek assistance from the community for fixes.
Below are the specific locations of the different complexity issues we discovered.
1.
Line 290 in f49a07b
def expandvars(path): |
2.
Line 73 in 5ab66a8
def _parseparam(s): |
3.
Line 1206 in 5ab66a8
while methodname[:1] == '<': |
4.
cpython/Lib/email/_header_value_parser.py
Line 1424 in 5ab66a8
def get_phrase(value): |
5.
cpython/Lib/email/_header_value_parser.py
Line 1506 in 5ab66a8
while value and (value[0]=='\\' or value[0] not in PHRASE_ENDS): |
6.
cpython/Lib/email/_header_value_parser.py
Line 1688 in 5ab66a8
value = value[1:] |
7.
cpython/Lib/email/_header_value_parser.py
Line 1697 in 5ab66a8
value = value[1:] |
8.
cpython/Lib/email/_header_value_parser.py
Line 1847 in 5ab66a8
value = value[1:] |
9.
cpython/Lib/email/_header_value_parser.py
Line 2200 in 5ab66a8
value = value[1:] |
10.
cpython/Lib/email/_header_value_parser.py
Line 2231 in 5ab66a8
value = value[1:] |
11.
cpython/Lib/email/_header_value_parser.py
Line 2260 in 5ab66a8
value = value[1:] |
12.
cpython/Lib/email/_header_value_parser.py
Line 2411 in 5ab66a8
value = value[1:] |
13.
cpython/Lib/email/_header_value_parser.py
Line 2570 in 5ab66a8
value = value[1:] |
14.
cpython/Lib/email/_header_value_parser.py
Line 2642 in 5ab66a8
value = value[1:] |
15.
cpython/Lib/email/_header_value_parser.py
Line 2762 in 5ab66a8
value = value[1:] |
16.
cpython/Lib/email/_header_value_parser.py
Line 2965 in 5ab66a8
to_encode = to_encode[1:] |
17.
cpython/Tools/freeze/checkextensions.py
Line 72 in e64395e
def expandvars(str, vars): |
18.
Line 403 in cb8a72b
def expandvars(path): |
19.
Line 1373 in 5ab66a8
while True: |
20.
Line 1454 in 98a5b83
while line and line[-1] in " \t": |
21.
Line 642 in 98a5b83
while platform and platform[-1] == '-': |
Current repair status:
03/19 has been fixed. @johnzhou721
1 has been fixed. @Wulian233
2/4/5/6/7/8/9/10/11/12/13/14/15/16 has been fixed. @picnixz
1/18 has been fixed. @serhiy-storchaka
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Credits
Finder is kexinoh (Xiangfan Wu) from QI-ANXIN Technology Research Institute.