[issue43075] ReDoS in request

Change by Senthil Kumaran : -- keywords: +easy (C) ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://ma

[issue43075] ReDoS in request

yeting li added the comment: Thank you for your quick reply! I agree. Catastrophic backtracking is typically regarded as a regex with exponential worst-case matching time. Besides regexes with exponential worst-case time complexity, ReDoS also includes ones with other super-linear (e.g., q

[issue43075] ReDoS in request

Change by yeting li : -- keywords: +patch pull_requests: +23205 stage: needs patch -> patch review pull_request: https://github.com/python/cpython/pull/24391 ___ Python tracker ___

[issue43075] ReDoS in request

Senthil Kumaran added the comment: +1. The suggested fix looks good to me. -- ___ Python tracker ___ ___ Python-bugs-list mailing l

[issue43075] ReDoS in request

Change by Serhiy Storchaka : -- stage: -> needs patch versions: +Python 3.10 ___ Python tracker ___ ___ Python-bugs-list mailing li

[issue43075] ReDoS in request

Serhiy Storchaka added the comment: I agree. There is no catastrophic backtracking here (it was fixed in issue39503), but the complexity of matching the regular expression is linear. Searching the pattern in a sequence of commas has quadratic complexity, because every step has linear complex

[issue43075] ReDoS in request

Change by Karthikeyan Singaravelan : -- nosy: +orsenthil, serhiy.storchaka type: -> security ___ Python tracker ___ ___ Python-bugs

[issue43075] ReDoS in request

New submission from yeting li : Hi, I find this regex '(?:^|,)[ \t]*([^ \t]+)[ \t]+' may be stucked by input. The vulnerable regex is located in https://github.com/python/cpython/blob/5c5a938573ce665f00e362c7766912d9b3f3b44e/Lib/urllib/request.py#L946 The ReDOS vulnerability of the regex is m