Skip to content

[2.7] bpo-32997: Fix REDOS in fpformat #5984

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 6, 2018
Merged

[2.7] bpo-32997: Fix REDOS in fpformat #5984

merged 3 commits into from
Mar 6, 2018

Conversation

davisjam
Copy link
Contributor

@davisjam davisjam commented Mar 5, 2018
edited by bedevere-bot
Loading

The regex to decode a number in fpformat is susceptible to
catastrophic backtracking.
This is a potential DOS vector if a server is using fpformat on
untrusted number strings.

Replace it with an equivalent non-vulnerable regex.

The match behavior of the new regex is slightly different.
This difference is addressed with a follow-up check.

https://bugs.python.org/issue32997

@davisjam
bpo-32997: Fix REDOS in fpformat
87d3daa 
The regex to decode a number in fpformat is susceptible to
catastrophic backtracking.
This is a potential DOS vector if a server is using fpformat on
untrusted number strings.

Replace it with an equivalent non-vulnerable regex.

The match behavior of the new regex is slightly different.
This difference is addressed with a follow-up check.
@davisjam
Copy link
Contributor Author

davisjam commented Mar 5, 2018

@serhiy-storchaka Figured you might be a good reviewer?

@davisjam
Address review comments
fc083d0 
Use a simplified regex.

Capture the integer part of the number in one group,
then strip off leading 0's.
@davisjam
Copy link
Contributor Author

davisjam commented Mar 5, 2018

@serhiy-storchaka fc083d0 addresses your suggestion in the bpo. I agree that this seems like a better approach.

@benjaminp benjaminp merged commit 55d5bfb into python:2.7 Mar 6, 2018
@davisjam davisjam mentioned this pull request Apr 5, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@davisjam @benjaminp @the-knights-who-say-ni @bedevere-bot