New submission from yeting li <l...@ios.ac.cn>: Hi,
I find this regex '(?:^|,)[ \t]*([^ \t]+)[ \t]+' may be stucked by input. The vulnerable regex is located in https://github.com/python/cpython/blob/5c5a938573ce665f00e362c7766912d9b3f3b44e/Lib/urllib/request.py#L946 The ReDOS vulnerability of the regex is mainly due to the sub-pattern ',([^ \t]+)' and can be exploited with the following string attack_str = "," * 10000 You can execute redos_python.py to reproduce the ReDos vulnerability. I am willing to suggest that you replace '(?:^|,)[ \t]*([^ \t]+)[ \t]+' with '(?:^|,)[ \t]*([^ \t,]+)[ \t]+' Looking forward for your response! Best, Yeting Li ---------- components: Library (Lib) files: redos_python.py messages: 385974 nosy: yetingli priority: normal severity: normal status: open title: ReDoS in request versions: Python 3.6, Python 3.7, Python 3.8, Python 3.9 Added file: https://bugs.python.org/file49778/redos_python.py _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue43075> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
