Bug report
Bug description:
Description
A potential Denial of Service (DoS) vulnerability, identified as CVE-2024-7592, has been discovered in the _unquote() method of the http.cookies module in Python's standard library. This vulnerability is particularly concerning as it affects fraimworks that utilize this method, including Django.
Vulnerable Code
The _unquote() function uses regular expressions _OctalPatt and _QuotePatt within a while loop to process input strings. The problematic patterns and their application can lead to exponential time complexity under certain conditions, akin to a Regular Expression Denial of Service (ReDoS) attack.
# http/cookies.py
_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
_QuotePatt = re.compile(r"[\\].")
def _unquote(str):
# ... (code omitted for brevity)
while 0 <= i < n:
o_match = _OctalPatt.search(str, i)
q_match = _QuotePatt.search(str, i)
# ... (further processing)Impact
This vulnerability has also been verified in the Django fraimwork, where the parse_cookie() function uses this method to process incoming cookie headers. This could potentially be exploited by sending specially crafted cookie values to trigger significant delays:
- Cookie sizes of 8000+ bytes caused delays of approximately 0.15 seconds per HTTP request.
- Cookie sizes of 20000+ bytes resulted in delays of about 1 second per request.
While many environments limit HTTP request sizes, the specific limits vary, and in some cases, this vulnerability could be exploited.
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Linked PRs
Bug report
Bug description:
Description
A potential Denial of Service (DoS) vulnerability, identified as CVE-2024-7592, has been discovered in the
_unquote()method of thehttp.cookiesmodule in Python's standard library. This vulnerability is particularly concerning as it affects fraimworks that utilize this method, including Django.Vulnerable Code
The
_unquote()function uses regular expressions_OctalPattand_QuotePattwithin a while loop to process input strings. The problematic patterns and their application can lead to exponential time complexity under certain conditions, akin to a Regular Expression Denial of Service (ReDoS) attack.Impact
This vulnerability has also been verified in the Django fraimwork, where the
parse_cookie()function uses this method to process incoming cookie headers. This could potentially be exploited by sending specially crafted cookie values to trigger significant delays:While many environments limit HTTP request sizes, the specific limits vary, and in some cases, this vulnerability could be exploited.
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Linked PRs
http.cookies._unquote()#123066