File CVE-2024-7592-quad-complex-cookies.patch of Package python3-base

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2024-7592-quad-complex-cookies.patch of Package python3-base

From cdffb9f1bec386198a9fc7483a8f1ad343f48ce2 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Sat, 17 Aug 2024 16:30:52 +0300
Subject: [PATCH] [CVE-2024-7592] Fix quadratic complexity in parsing "-quoted
 cookie

Fix quadratic complexity in parsing ``"``-quoted cookie values
with backslashes by `http.cookies`.

Fixes: gh#python/cpython#123067
Fixes: bsc#1229596 (CVE-2024-7592)
From-PR: gh#python/cpython!123075
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Patch: CVE-2024-7592-quad-complex-cookies.patch
---
 Lib/http/cookies.py                                                     |   34 ++------
 Lib/test/test_http_cookies.py                                           |   39 +++++++++-
 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst |    1 
 3 files changed, 47 insertions(+), 27 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst

--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -235,8 +235,13 @@ def _quote(str, LegalChars=_LegalChars):
         return '"' + _nulljoin(_Translator.get(s, s) for s in str) + '"'
 
 
-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
-_QuotePatt = re.compile(r"[\\].")
+_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub
+
+def _unquote_replace(m):
+    if m.group(1):
+        return chr(int(m.group(1), 8))
+    else:
+        return m.group(2)
 
 def _unquote(str):
     # If there aren't any doublequotes,
@@ -256,30 +261,7 @@ def _unquote(str):
     #    \012 --> \n
     #    \"   --> "
     #
-    i = 0
-    n = len(str)
-    res = []
-    while 0 <= i < n:
-        o_match = _OctalPatt.search(str, i)
-        q_match = _QuotePatt.search(str, i)
-        if not o_match and not q_match:              # Neither matched
-            res.append(str[i:])
-            break
-        # else:
-        j = k = -1
-        if o_match:
-            j = o_match.start(0)
-        if q_match:
-            k = q_match.start(0)
-        if q_match and (not o_match or k < j):     # QuotePatt matched
-            res.append(str[i:k])
-            res.append(str[k+1])
-            i = k + 2
-        else:                                      # OctalPatt matched
-            res.append(str[i:j])
-            res.append(chr(int(str[j+1:j+4], 8)))
-            i = j + 4
-    return _nulljoin(res)
+    return _unquote_sub(_unquote_replace, str)
 
 # The _getdate() routine is used to set the expiration time in the cookie's HTTP
 # header.  By default, _getdate() returns the current time in the appropriate
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -1,6 +1,6 @@
 # Simple test suite for http/cookies.py
 
-from test.support import run_unittest, run_doctest, check_warnings
+from test.support import run_unittest, run_doctest, check_warnings, requires_resource
 import unittest
 from http import cookies
 import pickle
@@ -66,6 +66,43 @@ class CookieTests(unittest.TestCase):
             for k, v in sorted(case['dict'].items()):
                 self.assertEqual(C[k].value, v)
 
+    def test_unquote(self):
+        cases = [
+            (r'a="b=\""', 'b="'),
+            (r'a="b=\\"', 'b=\\'),
+            (r'a="b=\="', 'b=='),
+            (r'a="b=\n"', 'b=n'),
+            (r'a="b=\042"', 'b="'),
+            (r'a="b=\134"', 'b=\\'),
+            (r'a="b=\377"', 'b=\xff'),
+            (r'a="b=\400"', 'b=400'),
+            (r'a="b=\42"', 'b=42'),
+            (r'a="b=\\042"', 'b=\\042'),
+            (r'a="b=\\134"', 'b=\\134'),
+            (r'a="b=\\\""', 'b=\\"'),
+            (r'a="b=\\\042"', 'b=\\"'),
+            (r'a="b=\134\""', 'b=\\"'),
+            (r'a="b=\134\042"', 'b=\\"'),
+        ]
+        for encoded, decoded in cases:
+            with self.subTest(encoded):
+                C = cookies.SimpleCookie()
+                C.load(encoded)
+                self.assertEqual(C['a'].value, decoded)
+
+    @requires_resource('cpu')
+    def test_unquote_large(self):
+        n = 10**6
+        for encoded in r'\\', r'\134':
+            with self.subTest(encoded):
+                data = 'a="b=' + encoded*n + ';"'
+                C = cookies.SimpleCookie()
+                C.load(data)
+                value = C['a'].value
+                self.assertEqual(value[:3], 'b=\\')
+                self.assertEqual(value[-2:], '\\;')
+                self.assertEqual(len(value), n + 3)
+
     def test_load(self):
         C = cookies.SimpleCookie()
         C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
@@ -0,0 +1 @@
+Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`.

Places

File CVE-2024-7592-quad-complex-cookies.patch of Package python3-base

Places