Re: regex infinite loop with 100% cpu use in django.forms.fields.email_re - DOS hole?

2009-10-12 Thread Tom Evans 

On Fri, 2009-10-09 at 12:21 -0700, davisd wrote:
> Sorry for the public disclosure...  I did email django security after
> I posted.  I'm just getting into this open source goodness and I'm not
> really sure how it's supposed to operate yet.
> 
> I did consult the documentation: 
> http://docs.djangoproject.com/en/dev/internals/contributing/
> 
> Jacob:
> I'm running django from SVN
> Python 2.6.2
> I believe the Operating system is moot- it's all in the python.
> Linux kernel 2.6.31-11, but also 2.6.18.8 -
> 
> I'm wondering if a multithreaded webserver setup would be more guarded
> against this sort of thing?
> 

This bug has no effect on FreeBSD systems I've tested, so it looks like
it is OS specific.

FreeBSD 7.0, 7.1, 7.2 + python 2.5.4 work fine.

> $ time python -c "from django.forms.fields import email_re; 
> email_re.match('viewx3dtextx26q...@yahoo.comx26latlngx3d15854521645943074058');
>  import django; print django.VERSION"
(1, 1, 0, 'final', 0)

real0m0.086s
user0m0.055s
sys 0m0.029s


Linux 2.6.27 + python 2.5.4 fails.

> $ time python -c "from django.forms.fields import email_re; 
> email_re.match('viewx3dtextx26q...@yahoo.comx26latlngx3d15854521645943074058');
>  import django; print django.VERSION"
^CTraceback (most recent call last):
  File "", line 1, in 
KeyboardInterrupt

real0m21.317s
user0m21.173s
sys 0m0.044s


Cheers

Tom


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: regex infinite loop with 100% cpu use in django.forms.fields.email_re - DOS hole?

2009-10-09 Thread Jacob Kaplan-Moss 

Just as an update for anyone following this thread:

This was indeed a security exploit, and it has been fixed. See
http://www.djangoproject.com/weblog/2009/oct/09/security/ for details.

Jacob

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: regex infinite loop with 100% cpu use in django.forms.fields.email_re - DOS hole?

2009-10-09 Thread Karen Tracey 
On Fri, Oct 9, 2009 at 3:21 PM, davisd  wrote:

>
> I'm wondering if a multithreaded webserver setup would be more guarded
> against this sort of thing?
>
>
Yeah, but.  When I tried this on my own production server (Apache/mod_wsgi)
the process handling the request that caused the problem was killed after
the deadlock timeout was reached. But deadlock timeout can't really protect
you from a determined denial of service attack, so it's still a problem in
Django.

Karen

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: regex infinite loop with 100% cpu use in django.forms.fields.email_re - DOS hole?

2009-10-09 Thread davisd 

Sorry for the public disclosure...  I did email django security after
I posted.  I'm just getting into this open source goodness and I'm not
really sure how it's supposed to operate yet.

I did consult the documentation: 
http://docs.djangoproject.com/en/dev/internals/contributing/

Jacob:
I'm running django from SVN
Python 2.6.2
I believe the Operating system is moot- it's all in the python.
Linux kernel 2.6.31-11, but also 2.6.18.8 -

I'm wondering if a multithreaded webserver setup would be more guarded
against this sort of thing?


On Oct 9, 2:18 pm, James Bennett  wrote:
> Yes.
>
> We've confirmed the problem. We're working on a patch.
>
> In the meantime, everybody go meditate on the documentation for how to
> report security issues.
>
> --
> "Bureaucrat Conrad, you are technically correct -- the best kind of correct."
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: regex infinite loop with 100% cpu use in django.forms.fields.email_re - DOS hole?

2009-10-09 Thread James Bennett 

Yes.

We've confirmed the problem. We're working on a patch.

In the meantime, everybody go meditate on the documentation for how to
report security issues.


-- 
"Bureaucrat Conrad, you are technically correct -- the best kind of correct."

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: regex infinite loop with 100% cpu use in django.forms.fields.email_re - DOS hole?

2009-10-09 Thread Juan Hernandez 
Take a look at mine:

*In [41]: from django.forms.fields
django.forms.fields

In [41]: from django.forms.fields import email_re

In [42]:
email_re.match('viewx3dtextx26q...@yahoo.comx26latlngx3d15854521645943074058
')*

and this is what top shows:
*
  PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+
COMMAND
13886 juan  20   0 17556  12m 1992 R   95  1.3   0:59.61 ipyth*on

and stays like that for ever...

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: regex infinite loop with 100% cpu use in django.forms.fields.email_re - DOS hole?

2009-10-09 Thread davisd 

Ok!  I just confirmed this, I took down a live server! (On of my own)

All I had to do was put the email address in the contact form.

-David

On Oct 9, 1:13 pm, davisd  wrote:
> After hours of debugging, I found that:
>
> from django.forms.fields import email_re
> email_re.match
> ('viewx3dtextx26q...@yahoo.comx26latlngx3d15854521645943074058')
>
> will cause CPU to shoot up 100% and the process will hang forever.
>
> Since this is the regex used to validate EmailField on forms, won't
> this DOS a live site?
>
> Where should I report this?
>
> Is there a better way to validate an email address?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---