Hi Reverted the decision that it is minor. Instead added python to dla needed.
// Ola On Mon, 3 Feb 2020 at 11:30, Ola Lundqvist <[email protected]> wrote: > Hi Ben > > Thank you. I realize that I misunderstood things. It is the server side > that sends this string, not the user on the client side. I'll adjust my > analysis accordingly. > This means that a malicious server can cause a DoS on client side. > > Best regards > > // Ola > > On Sun, 2 Feb 2020 at 23:55, Ben Hutchings <[email protected]> wrote: > >> On Fri, 2020-01-31 at 21:18 +0100, Ola Lundqvist wrote: >> > Hi fellow LTS development team >> > >> > I'm not sure how to handle CVE-2020-8492. It is a client side >> vulnerability >> > and what it can cause it CPU load issue (on the client side as I >> > understand). I can not really see how it can be exploited in any normal >> > client. Sure if the attacker creates new python code it can, but then it >> > can do that anyway because an infinite loop is quite easy to do in any >> > python code. >> >> I don't know for sure, but I think the test case given in the upstream >> issue exercises part of the normal response handling. I think it shows >> what happens if a server sends a response with the header field: >> >> www-authenticate: Basic >> ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, foo realm >> >> Ben. >> >> > So I think it is probably a minor issue, but I would like to check with >> > others for an opinion,. >> > >> > For now I have marked as ignored, but if people have good arguments I >> will >> > change my mind. >> > >> > Best regards >> > >> > // Ola >> > >> -- >> Ben Hutchings >> I haven't lost my mind; it's backed up on tape somewhere. >> >> > > -- > --- Inguza Technology AB --- MSc in Information Technology ---- > | [email protected] [email protected] | > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > --------------------------------------------------------------- > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | [email protected] [email protected] | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
