René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"CVE-2024-7592: Denial of Service Vulnerability in `http.cookies._unquote()`","articleBody":"# Bug report\n\n### Bug description:\n\n## Description\n\nA potential Denial of Service (DoS) vulnerability, identified as CVE-2024-7592, has been discovered in the `_unquote()` method of the `http.cookies` module in Python's standard library. This vulnerability is particularly concerning as it affects frameworks that utilize this method, including Django.\n\n### Vulnerable Code\n\nThe `_unquote()` function uses regular expressions `_OctalPatt` and `_QuotePatt` within a while loop to process input strings. The problematic patterns and their application can lead to exponential time complexity under certain conditions, akin to a Regular Expression Denial of Service (ReDoS) attack.\n\n```python\n# http/cookies.py\n_OctalPatt = re.compile(r\"\\\\[0-3][0-7][0-7]\")\n_QuotePatt = re.compile(r\"[\\\\].\")\ndef _unquote(str):\n    # ... (code omitted for brevity)\n    while 0 \u003c= i \u003c n:\n        o_match = _OctalPatt.search(str, i)\n        q_match = _QuotePatt.search(str, i)\n        # ... (further processing)\n```\n\n## Impact\nThis vulnerability has also been verified in the Django framework, where the `parse_cookie()` function uses this method to process incoming cookie headers. This could potentially be exploited by sending specially crafted cookie values to trigger significant delays:\n\n- Cookie sizes of 8000+ bytes caused delays of approximately 0.15 seconds per HTTP request.\n- Cookie sizes of 20000+ bytes resulted in delays of about 1 second per request.\n\nWhile many environments limit HTTP request sizes, the specific limits vary, and in some cases, this vulnerability could be exploited.\n\n### CPython versions tested on:\n\nCPython main branch\n\n### Operating systems tested on:\n\nLinux\n\n\u003c!-- gh-linked-prs --\u003e\n### Linked PRs\n* gh-123066\n* gh-123075\n* gh-123103\n* gh-123104\n* gh-123105\n* gh-123106\n* gh-123107\n* gh-123108\n\u003c!-- /gh-linked-prs --\u003e\n","author":{"url":"https://github.com/ch4n3-yoon","@type":"Person","name":"ch4n3-yoon"},"datePublished":"2024-08-16T13:31:26.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":6},"url":"https://github.com/123067/cpython/issues/123067"}