Re: [Django] #36768: File.__iter__() Quadratic-time DoS

[Django]

#36768: File.__iter__() Quadratic-time DoS
-------------------------------------+-------------------------------------
     Reporter:  wooseokdotkim        |                    Owner:  (none)
         Type:  Bug                  |                   Status:  new
    Component:  File                 |                  Version:
  uploads/storage                    |
     Severity:  Normal               |               Resolution:
     Keywords:  DoS                  |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):

 * component:  Uncategorized => File uploads/storage


Old description:

> I thought the code below could generate DoS, so I made a bug report
> However, File._iter__ was not recognized as a bug because only one line
> was buffered and only worked for chunks returned from File.chunks, but it
> was determined that verification code for input should be added, so it
> was created as an open ticket.
>
> The code pattern is similar to CVE-2023-36053, which is already released,
> so I think it needs to be modified.
>
> code: django/core/files/base.py:89
>
> {{{
> def __iter__(self):
>     buffer_ = None
>     for chunk in self.chunks():
>         for line in chunk.splitlines(True):
>             if buffer_:
>                 line = buffer_ + line  # < Code!
> }}}
>

> How should I patch it?

New description:

 I thought the code below could generate DoS, so I made a bug report
 However, `File._iter__()` was not recognized as a bug because only one
 line was buffered and only worked for chunks returned from `File.chunks`,
 but it was determined that verification code for input should be added, so
 it was created as an open ticket.

 The code pattern is similar to CVE-2023-36053, which is already released,
 so I think it needs to be modified.

 code: django/core/files/base.py:89

 {{{
 def __iter__(self):
     buffer_ = None
     for chunk in self.chunks():
         for line in chunk.splitlines(True):
             if buffer_:
                 line = buffer_ + line  # < Code!
 }}}


 How should I patch it?

--
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36768#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019ae5582b19-6c4e6683-d98b-4be6-ba23-89355a3fb9b1-000000%40eu-central-1.amazonses.com.