[issue43075] ReDoS in urllib.request

2021-08-23 Thread Gianluca Gabrielli
Gianluca Gabrielli added the comment: RedHat has now assigned CVE-2021-3733 to this security bug. -- nosy: +crazybyte ___ Python tracker ___

[issue43075] ReDoS in urllib.request

2021-05-06 Thread Ned Deily
Change by Ned Deily : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___ ___

[issue43075] ReDoS in urllib.request

2021-05-06 Thread Ned Deily
Ned Deily added the comment: New changeset 3fbe96123aeb4fa547a8f6022efa2dc8788f by Miss Islington (bot) in branch '3.6': bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) (GH-25250) https://github.com/python/cpython/commit/3fbe96123aeb4fa547a8f6022efa2dc8788f

[issue43075] ReDoS in urllib.request

2021-05-04 Thread Łukasz Langa
Łukasz Langa added the comment: New changeset ada14995870abddc277addf57dd690a2af04c2da by Miss Islington (bot) in branch '3.7': bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) (#25249) https://github.com/python/cpython/commit/ada14995870abddc277addf57dd690a2af04c2da

[issue43075] ReDoS in urllib.request

2021-04-07 Thread STINNER Victor
STINNER Victor added the comment: New changeset a21d4fbd549ec9685068a113660553d7f80d9b09 by Miss Islington (bot) in branch '3.9': bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) (GH-25247) https://github.com/python/cpython/commit/a21d4fbd549ec9685068a113660553d7f80d9b09

[issue43075] ReDoS in urllib.request

2021-04-07 Thread miss-islington
miss-islington added the comment: New changeset e7654b6046090914a8323931ed759a94a5f85d60 by Miss Islington (bot) in branch '3.8': bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) https://github.com/python/cpython/commit/e7654b6046090914a8323931ed759a94a5f85d60 --

[issue43075] ReDoS in urllib.request

2021-04-07 Thread miss-islington
Change by miss-islington : -- pull_requests: +23989 pull_request: https://github.com/python/cpython/pull/25250 ___ Python tracker ___

[issue43075] ReDoS in urllib.request

2021-04-07 Thread miss-islington
Change by miss-islington : -- pull_requests: +23988 pull_request: https://github.com/python/cpython/pull/25249 ___ Python tracker ___

[issue43075] ReDoS in urllib.request

2021-04-07 Thread miss-islington
Change by miss-islington : -- pull_requests: +23987 pull_request: https://github.com/python/cpython/pull/25248 ___ Python tracker ___

[issue43075] ReDoS in urllib.request

2021-04-07 Thread STINNER Victor
STINNER Victor added the comment: New changeset 7215d1ae25525c92b026166f9d5cac85fb1defe1 by Yeting Li in branch 'master': bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb1defe1 --

[issue43075] ReDoS in urllib.request

2021-04-07 Thread miss-islington
Change by miss-islington : -- nosy: +miss-islington nosy_count: 4.0 -> 5.0 pull_requests: +23986 pull_request: https://github.com/python/cpython/pull/25247 ___ Python tracker

[issue43075] ReDoS in urllib.request

2021-04-07 Thread STINNER Victor
STINNER Victor added the comment: redos_python2.py: Updated benchmark. I confirm that PR 24391 fix a worst case performance, starting with 100 characters. Since the complexity is quadratic, strings longer 10^4 characters are likely to hang a client for several minutes. == Reference

[issue43075] ReDoS in urllib.request

2021-04-07 Thread yeting li
yeting li added the comment: For a regex has polynomial worst-case complexity, limiting the maximum input length is indeed a very effective method. As shown below, as the input length becomes smaller, the matching time becomes significantly smaller. header = '' + ',' * (10 ** 4)1.617s

[issue43075] ReDoS in urllib.request

2021-04-07 Thread STINNER Victor
STINNER Victor added the comment: > header = '' + ',' * (10 ** 5) I guess that a more generic protection against future attacks would be to limit the maximum length of a HTTP header. 100,000 characters for a HTTP Basic authentification does not sound reasonable. But for now, let's fix the

[issue43075] ReDoS in urllib.request

2021-03-14 Thread yeting li
yeting li added the comment: Sorry for the delay. I analyzed the performance of the current version '(?:^|,)[ \t]*([^ \t]+)[ \t]+' and the fixed version '(?:^|,)[ \t]*([^ \t,]+)[ \t]+'. I ran the following HTTP header ten times: header = '' + ',' * (10 ** 5) The current version takes about

[issue43075] ReDoS in urllib.request

2021-03-09 Thread STINNER Victor
STINNER Victor added the comment: I see that you attached a redos_python.py benchmark (which looks like a benchmark that I wrote recently ;-)) but you didn't give results. Can you please show that your fix is effective to avoid catastrophic performances? Is this issue related to the

[issue43075] ReDoS in urllib.request

2021-03-03 Thread Tal Einat
Change by Tal Einat : -- keywords: +newcomer friendly ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue43075] ReDoS in urllib.request

2021-03-02 Thread Zachary Ware
Change by Zachary Ware : -- keywords: +patch ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue43075] ReDoS in urllib.request

2021-03-02 Thread Zachary Ware
Change by Zachary Ware : -- keywords: +easy -easy (C), patch ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue43075] ReDoS in urllib.request

2021-03-02 Thread Éric Araujo
Change by Éric Araujo : -- title: ReDoS in request -> ReDoS in urllib.request ___ Python tracker ___ ___ Python-bugs-list mailing