Hi Ben Thank you. I realize that I misunderstood things. It is the server side that sends this string, not the user on the client side. I'll adjust my analysis accordingly. This means that a malicious server can cause a DoS on client side.
Best regards // Ola On Sun, 2 Feb 2020 at 23:55, Ben Hutchings <b...@decadent.org.uk> wrote: > On Fri, 2020-01-31 at 21:18 +0100, Ola Lundqvist wrote: > > Hi fellow LTS development team > > > > I'm not sure how to handle CVE-2020-8492. It is a client side > vulnerability > > and what it can cause it CPU load issue (on the client side as I > > understand). I can not really see how it can be exploited in any normal > > client. Sure if the attacker creates new python code it can, but then it > > can do that anyway because an infinite loop is quite easy to do in any > > python code. > > I don't know for sure, but I think the test case given in the upstream > issue exercises part of the normal response handling. I think it shows > what happens if a server sends a response with the header field: > > www-authenticate: Basic > ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, foo realm > > Ben. > > > So I think it is probably a minor issue, but I would like to check with > > others for an opinion,. > > > > For now I have marked as ignored, but if people have good arguments I > will > > change my mind. > > > > Best regards > > > > // Ola > > > -- > Ben Hutchings > I haven't lost my mind; it's backed up on tape somewhere. > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
