-
-
Notifications
You must be signed in to change notification settings - Fork 31.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler #83684
Comments
Copy of an email received on the Python Security Response team, 9 days ago. I consider that it's not worth it to have an embargo on this vulnerability, so I make it public. Hi there, I believe I've found a denial-of-service (DoS) bug in from urllib.request import AbstractBasicAuthHandler
auth_handler = AbstractBasicAuthHandler()
auth_handler.http_error_auth_reqed(
'www-authenticate',
'unused',
'unused',
{
'www-authenticate': 'Basic ' + ',' * 64 + ' ' + 'foo' + ' ' +
'realm'
}
) The issue itself is in the following regular expression: rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
'realm=(["\']?)([^"\']*)\\2', re.I) In particular, the (?:.*,)* portion. Since "." and "," overlap and there I won't speculate on the severity of the issue too much - you will surely One possible fix would be changing the rx expression to the following: rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+'
'realm=(["\']?)([^"\']*)\\2', re.I) This removes the character overlap in the nested quantifier and thus Let me know if you have any questions or what the next steps are from here. -- |
I added this vulnerability to the following page to track fixes in all Python supported branches: |
CVE-2020-8492 has been assigned to this vulnerability: |
Isn't this a duplicate of bpo-38826 ? |
Oh right. I marked it as a duplicate of this issue. |
bench_parser.py: Benchmark for AbstractBasicAuthHandler.http_error_auth_reqed(). |
Instead of repeat_10_3 = 'Basic ' + ', ' * (10 ** 3) + simple in the benchmark, try repeat_10_3 = 'Basic ' + ', ' * (10 ** 3) + 'A' |
Ooooh, I see. I didn't measure the performance of the right header. I re-run a benchmark using the HTTP header (repeat=15): header = 'Basic ' + ', ' * 15 + 'A' Now I see a major performance difference. Comparison between master ("ref") and PR 18284 ("fix"): Mean +- std dev: [ref] 88.9 ms +- 2.4 ms -> [fix] 17.5 us +- 0.7 us: 5083.23x faster (-100%) So the worst case is now way faster: more than 5000x faster! It's even possible to go up to repeat=10**6 characters, it still takes less than 1 seconds: 412 ms +- 19 ms. On the master branch, repeat=20 already takes around 3 seconds... The slowdown is exponential with repeat increase. |
New changeset 0b297d4 by Victor Stinner in branch 'master': |
Line 989 in 9f93018
"headers" is a dict object? If so, the dict object does not seem to have no attribute "get_all". |
No, it's not a dict object. |
At the beginning of the issue, there is the following reproduction code: Here's the headers: { I think this is a dict object, so the current problem is fixed and no longer compatible with the previous usage? |
This issue was a security vulnerability. It's now closed, please don't comment closed issues. If you consider that there is a regression, please open a new issue. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: