[issue43075] ReDoS in urllib.request

2021-08-23 Thread Gianluca Gabrielli


Gianluca Gabrielli  added the comment:

RedHat has now assigned CVE-2021-3733 to this security bug.

--
nosy: +crazybyte

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-05-06 Thread Ned Deily


Change by Ned Deily :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-05-06 Thread Ned Deily


Ned Deily  added the comment:


New changeset 3fbe96123aeb4fa547a8f6022efa2dc8788f by Miss Islington (bot) 
in branch '3.6':
bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) (GH-25250)
https://github.com/python/cpython/commit/3fbe96123aeb4fa547a8f6022efa2dc8788f


--
nosy: +ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-05-04 Thread Łukasz Langa

Łukasz Langa  added the comment:


New changeset ada14995870abddc277addf57dd690a2af04c2da by Miss Islington (bot) 
in branch '3.7':
bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) (#25249)
https://github.com/python/cpython/commit/ada14995870abddc277addf57dd690a2af04c2da


--
nosy: +lukasz.langa

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-04-07 Thread STINNER Victor


STINNER Victor  added the comment:


New changeset a21d4fbd549ec9685068a113660553d7f80d9b09 by Miss Islington (bot) 
in branch '3.9':
bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) (GH-25247)
https://github.com/python/cpython/commit/a21d4fbd549ec9685068a113660553d7f80d9b09


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-04-07 Thread miss-islington


miss-islington  added the comment:


New changeset e7654b6046090914a8323931ed759a94a5f85d60 by Miss Islington (bot) 
in branch '3.8':
bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391)
https://github.com/python/cpython/commit/e7654b6046090914a8323931ed759a94a5f85d60


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-04-07 Thread miss-islington


Change by miss-islington :


--
pull_requests: +23989
pull_request: https://github.com/python/cpython/pull/25250

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-04-07 Thread miss-islington


Change by miss-islington :


--
pull_requests: +23988
pull_request: https://github.com/python/cpython/pull/25249

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-04-07 Thread miss-islington


Change by miss-islington :


--
pull_requests: +23987
pull_request: https://github.com/python/cpython/pull/25248

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-04-07 Thread STINNER Victor


STINNER Victor  added the comment:


New changeset 7215d1ae25525c92b026166f9d5cac85fb1defe1 by Yeting Li in branch 
'master':
bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391)
https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb1defe1


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-04-07 Thread miss-islington


Change by miss-islington :


--
nosy: +miss-islington
nosy_count: 4.0 -> 5.0
pull_requests: +23986
pull_request: https://github.com/python/cpython/pull/25247

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-04-07 Thread STINNER Victor


STINNER Victor  added the comment:

redos_python2.py: Updated benchmark.

I confirm that PR 24391 fix a worst case performance, starting with 100 
characters.

Since the complexity is quadratic, strings longer 10^4 characters are likely to 
hang a client for several minutes.

== Reference (vulnerable) ==

simple: Mean +- std dev: 2.10 us +- 0.05 us
repeat 10: Mean +- std dev: 3.85 us +- 0.13 us
repeat 10^2: Mean +- std dev: 133 us +- 3 us
repeat 10^4: Mean +- std dev: 1.23 sec +- 0.05 sec

== With the PR 24391 fix ==

simple: Mean +- std dev: 2.15 us +- 0.15 us
repeat 10: Mean +- std dev: 2.44 us +- 0.04 us
repeat 10^2: Mean +- std dev: 7.45 us +- 0.17 us
repeat 10^4: Mean +- std dev: 574 us +- 28 us

== Comparison ==

simple: Mean +- std dev: [ref] 2.10 us +- 0.05 us -> [fix] 2.15 us +- 0.15 us: 
1.02x slower
repeat 10: Mean +- std dev: [ref] 3.85 us +- 0.13 us -> [fix] 2.44 us +- 0.04 
us: 1.58x faster
repeat 10^2: Mean +- std dev: [ref] 133 us +- 3 us -> [fix] 7.45 us +- 0.17 us: 
17.80x faster
repeat 10^4: Mean +- std dev: [ref] 1.23 sec +- 0.05 sec -> [fix] 574 us +- 28 
us: 2152.36x faster

Geometric mean: 15.59x faster

--
Added file: https://bugs.python.org/file49938/redos_python2.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-04-07 Thread yeting li


yeting li  added the comment:

For a regex has polynomial worst-case complexity, limiting the maximum input 
length is indeed a very effective method.

As shown below, as the input length becomes smaller, the matching time becomes 
significantly smaller.

header = '' + ',' * (10 ** 4)1.617s
header = '' + ',' * (10 ** 3)0.014s
header = '' + ',' * (10 ** 2)0.00017s

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-04-07 Thread STINNER Victor


STINNER Victor  added the comment:

> header = '' + ',' * (10 ** 5)

I guess that a more generic protection against future attacks would be to limit 
the maximum length of a HTTP header. 100,000 characters for a HTTP Basic 
authentification does not sound reasonable.

But for now, let's fix the regex.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-03-14 Thread yeting li


yeting li  added the comment:

Sorry for the delay. I analyzed the performance of the current version 
'(?:^|,)[ \t]*([^ \t]+)[ \t]+' and the fixed version '(?:^|,)[ \t]*([^ \t,]+)[ 
\t]+'. I ran the following HTTP header ten times:

header = '' + ',' * (10 ** 5)

The current version takes about 139.178s-140.946s, while the repaired version 
takes about 0.006s.

You can analyze them with the code below.

from time import perf_counter
for _ in range(0, 10):
BEGIN = perf_counter()
header = repeat_10_5_simple
headers = Headers(header)
handler.http_error_auth_reqed("WWW-Authenticate", host, req, 
Headers(header))
DURATION = perf_counter() - BEGIN
print(f"took {DURATION} seconds!") 

For CVE-2020-8492, it is the backtracking performance caused by some ambiguity 
during the matching, and this issue is caused by the regex engine constantly 
moves the matching regex across the malicious string that does not have a match 
for the regex.

Because the locations of the vulnerabilities are the same, so I refer to your 
code. Thanks for the code ;-)!

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-03-09 Thread STINNER Victor


STINNER Victor  added the comment:

I see that you attached a redos_python.py benchmark (which looks like a 
benchmark that I wrote recently ;-)) but you didn't give results. Can you 
please show that your fix is effective to avoid catastrophic performances?

Is this issue related to the CVE-2020-8492? Is it the same issue or is it 
different?
https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html

--
nosy: +vstinner

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-03-03 Thread Tal Einat


Change by Tal Einat :


--
keywords: +newcomer friendly

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-03-02 Thread Zachary Ware


Change by Zachary Ware :


--
keywords: +patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-03-02 Thread Zachary Ware


Change by Zachary Ware :


--
keywords: +easy -easy (C), patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue43075] ReDoS in urllib.request

2021-03-02 Thread Éric Araujo

Change by Éric Araujo :


--
title: ReDoS in request -> ReDoS in urllib.request

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com