New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A ReDoS vulnerability exists in ./src/configobj/validate.py #232
Comments
|
Opening a pull request that patches this vulnerability would be appreciated. Thank you. |
|
Is this security hole fixed? |
|
CVE-2023-26112 appears to have been assigned for this issue. |
|
just ping, if any PR fixed this CVE? |
|
I have not, and I’m not in a position to provide one.
I characterized this as a CVE on the effecting server-side config and not
something I’d expect a malicious user to be able to trigger.
…On Sun, Apr 23, 2023 at 4:07 AM swf504 ***@***.***> wrote:
just ping, if any PR fixed this CVE?
—
Reply to this email directly, view it on GitHub
<#232 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAC4YQQ3AWTPRK6GA3LPISLXCTPLXANCNFSM6AAAAAAUIUHBTI>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The affected code is located in validate.py-line660. It uses the vulnerable regular expression
(.+?)\((.*)\). When the match fails, it will cause catastrophic backtracking.I trigger the vulnerability using the python script below
I see many projects referencing this file, when run server side there has possible DOS. It is my pleasure to provide a patch to repair the ReDoS vulnerability.
The text was updated successfully, but these errors were encountered: