mirror of https://github.com/python/cpython
gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075)
This fixes CVE-2024-7592.
This commit is contained in:
parent
d60b97a833
commit
44e458357f
|
@ -184,8 +184,13 @@ def _quote(str):
|
|||
return '"' + str.translate(_Translator) + '"'
|
||||
|
||||
|
||||
_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
|
||||
_QuotePatt = re.compile(r"[\\].")
|
||||
_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub
|
||||
|
||||
def _unquote_replace(m):
|
||||
if m[1]:
|
||||
return chr(int(m[1], 8))
|
||||
else:
|
||||
return m[2]
|
||||
|
||||
def _unquote(str):
|
||||
# If there aren't any doublequotes,
|
||||
|
@ -205,30 +210,7 @@ def _unquote(str):
|
|||
# \012 --> \n
|
||||
# \" --> "
|
||||
#
|
||||
i = 0
|
||||
n = len(str)
|
||||
res = []
|
||||
while 0 <= i < n:
|
||||
o_match = _OctalPatt.search(str, i)
|
||||
q_match = _QuotePatt.search(str, i)
|
||||
if not o_match and not q_match: # Neither matched
|
||||
res.append(str[i:])
|
||||
break
|
||||
# else:
|
||||
j = k = -1
|
||||
if o_match:
|
||||
j = o_match.start(0)
|
||||
if q_match:
|
||||
k = q_match.start(0)
|
||||
if q_match and (not o_match or k < j): # QuotePatt matched
|
||||
res.append(str[i:k])
|
||||
res.append(str[k+1])
|
||||
i = k + 2
|
||||
else: # OctalPatt matched
|
||||
res.append(str[i:j])
|
||||
res.append(chr(int(str[j+1:j+4], 8)))
|
||||
i = j + 4
|
||||
return _nulljoin(res)
|
||||
return _unquote_sub(_unquote_replace, str)
|
||||
|
||||
# The _getdate() routine is used to set the expiration time in the cookie's HTTP
|
||||
# header. By default, _getdate() returns the current time in the appropriate
|
||||
|
|
|
@ -5,6 +5,7 @@ import unittest
|
|||
import doctest
|
||||
from http import cookies
|
||||
import pickle
|
||||
from test import support
|
||||
|
||||
|
||||
class CookieTests(unittest.TestCase):
|
||||
|
@ -58,6 +59,43 @@ class CookieTests(unittest.TestCase):
|
|||
for k, v in sorted(case['dict'].items()):
|
||||
self.assertEqual(C[k].value, v)
|
||||
|
||||
def test_unquote(self):
|
||||
cases = [
|
||||
(r'a="b=\""', 'b="'),
|
||||
(r'a="b=\\"', 'b=\\'),
|
||||
(r'a="b=\="', 'b=='),
|
||||
(r'a="b=\n"', 'b=n'),
|
||||
(r'a="b=\042"', 'b="'),
|
||||
(r'a="b=\134"', 'b=\\'),
|
||||
(r'a="b=\377"', 'b=\xff'),
|
||||
(r'a="b=\400"', 'b=400'),
|
||||
(r'a="b=\42"', 'b=42'),
|
||||
(r'a="b=\\042"', 'b=\\042'),
|
||||
(r'a="b=\\134"', 'b=\\134'),
|
||||
(r'a="b=\\\""', 'b=\\"'),
|
||||
(r'a="b=\\\042"', 'b=\\"'),
|
||||
(r'a="b=\134\""', 'b=\\"'),
|
||||
(r'a="b=\134\042"', 'b=\\"'),
|
||||
]
|
||||
for encoded, decoded in cases:
|
||||
with self.subTest(encoded):
|
||||
C = cookies.SimpleCookie()
|
||||
C.load(encoded)
|
||||
self.assertEqual(C['a'].value, decoded)
|
||||
|
||||
@support.requires_resource('cpu')
|
||||
def test_unquote_large(self):
|
||||
n = 10**6
|
||||
for encoded in r'\\', r'\134':
|
||||
with self.subTest(encoded):
|
||||
data = 'a="b=' + encoded*n + ';"'
|
||||
C = cookies.SimpleCookie()
|
||||
C.load(data)
|
||||
value = C['a'].value
|
||||
self.assertEqual(value[:3], 'b=\\')
|
||||
self.assertEqual(value[-2:], '\\;')
|
||||
self.assertEqual(len(value), n + 3)
|
||||
|
||||
def test_load(self):
|
||||
C = cookies.SimpleCookie()
|
||||
C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`.
|
Loading…
Reference in New Issue