Re: regex infinite loop with 100% cpu use in django.forms.fields.email_re - DOS hole?
On Fri, 2009-10-09 at 12:21 -0700, davisd wrote: > Sorry for the public disclosure... I did email django security after > I posted. I'm just getting into this open source goodness and I'm not > really sure how it's supposed to operate yet. > > I did consult the documentation: > http://docs.djangoproject.com/en/dev/internals/contributing/ > > Jacob: > I'm running django from SVN > Python 2.6.2 > I believe the Operating system is moot- it's all in the python. > Linux kernel 2.6.31-11, but also 2.6.18.8 - > > I'm wondering if a multithreaded webserver setup would be more guarded > against this sort of thing? > This bug has no effect on FreeBSD systems I've tested, so it looks like it is OS specific. FreeBSD 7.0, 7.1, 7.2 + python 2.5.4 work fine. > $ time python -c "from django.forms.fields import email_re; > email_re.match('viewx3dtextx26q...@yahoo.comx26latlngx3d15854521645943074058'); > import django; print django.VERSION" (1, 1, 0, 'final', 0) real0m0.086s user0m0.055s sys 0m0.029s Linux 2.6.27 + python 2.5.4 fails. > $ time python -c "from django.forms.fields import email_re; > email_re.match('viewx3dtextx26q...@yahoo.comx26latlngx3d15854521645943074058'); > import django; print django.VERSION" ^CTraceback (most recent call last): File "", line 1, in KeyboardInterrupt real0m21.317s user0m21.173s sys 0m0.044s Cheers Tom --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: regex infinite loop with 100% cpu use in django.forms.fields.email_re - DOS hole?
Just as an update for anyone following this thread: This was indeed a security exploit, and it has been fixed. See http://www.djangoproject.com/weblog/2009/oct/09/security/ for details. Jacob --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: regex infinite loop with 100% cpu use in django.forms.fields.email_re - DOS hole?
On Fri, Oct 9, 2009 at 3:21 PM, davisdwrote: > > I'm wondering if a multithreaded webserver setup would be more guarded > against this sort of thing? > > Yeah, but. When I tried this on my own production server (Apache/mod_wsgi) the process handling the request that caused the problem was killed after the deadlock timeout was reached. But deadlock timeout can't really protect you from a determined denial of service attack, so it's still a problem in Django. Karen --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: regex infinite loop with 100% cpu use in django.forms.fields.email_re - DOS hole?
Sorry for the public disclosure... I did email django security after I posted. I'm just getting into this open source goodness and I'm not really sure how it's supposed to operate yet. I did consult the documentation: http://docs.djangoproject.com/en/dev/internals/contributing/ Jacob: I'm running django from SVN Python 2.6.2 I believe the Operating system is moot- it's all in the python. Linux kernel 2.6.31-11, but also 2.6.18.8 - I'm wondering if a multithreaded webserver setup would be more guarded against this sort of thing? On Oct 9, 2:18 pm, James Bennettwrote: > Yes. > > We've confirmed the problem. We're working on a patch. > > In the meantime, everybody go meditate on the documentation for how to > report security issues. > > -- > "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: regex infinite loop with 100% cpu use in django.forms.fields.email_re - DOS hole?
Yes. We've confirmed the problem. We're working on a patch. In the meantime, everybody go meditate on the documentation for how to report security issues. -- "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: regex infinite loop with 100% cpu use in django.forms.fields.email_re - DOS hole?
Take a look at mine: *In [41]: from django.forms.fields django.forms.fields In [41]: from django.forms.fields import email_re In [42]: email_re.match('viewx3dtextx26q...@yahoo.comx26latlngx3d15854521645943074058 ')* and this is what top shows: * PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 13886 juan 20 0 17556 12m 1992 R 95 1.3 0:59.61 ipyth*on and stays like that for ever... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: regex infinite loop with 100% cpu use in django.forms.fields.email_re - DOS hole?
Ok! I just confirmed this, I took down a live server! (On of my own) All I had to do was put the email address in the contact form. -David On Oct 9, 1:13 pm, davisdwrote: > After hours of debugging, I found that: > > from django.forms.fields import email_re > email_re.match > ('viewx3dtextx26q...@yahoo.comx26latlngx3d15854521645943074058') > > will cause CPU to shoot up 100% and the process will hang forever. > > Since this is the regex used to validate EmailField on forms, won't > this DOS a live site? > > Where should I report this? > > Is there a better way to validate an email address? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---