yeting li <l...@ios.ac.cn> added the comment:
Sorry for the delay. I analyzed the performance of the current version
'(?:^|,)[ \t]*([^ \t]+)[ \t]+' and the fixed version '(?:^|,)[ \t]*([^ \t,]+)[
\t]+'. I ran the following HTTP header ten times:
header = '' + ',' * (10 ** 5)
The current version takes about 139.178s-140.946s, while the repaired version
takes about 0.006s.
You can analyze them with the code below.
from time import perf_counter
for _ in range(0, 10):
BEGIN = perf_counter()
header = repeat_10_5_simple
headers = Headers(header)
handler.http_error_auth_reqed("WWW-Authenticate", host, req,
Headers(header))
DURATION = perf_counter() - BEGIN
print(f"took {DURATION} seconds!")
For CVE-2020-8492, it is the backtracking performance caused by some ambiguity
during the matching, and this issue is caused by the regex engine constantly
moves the matching regex across the malicious string that does not have a match
for the regex.
Because the locations of the vulnerabilities are the same, so I refer to your
code. Thanks for the code ;-)!
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue43075>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
