Bug report

Bug description:

Description

A potential Denial of Service (DoS) vulnerability, identified as CVE-2024-7592, has been discovered in the _unquote() method of the http.cookies module in Python's standard library. This vulnerability is particularly concerning as it affects frameworks that utilize this method, including Django.

Vulnerable Code

The _unquote() function uses regular expressions _OctalPatt and _QuotePatt within a while loop to process input strings. The problematic patterns and their application can lead to exponential time complexity under certain conditions, akin to a Regular Expression Denial of Service (ReDoS) attack.

# http/cookies.py
_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
_QuotePatt = re.compile(r"[\\].")
def _unquote(str):
    # ... (code omitted for brevity)
    while 0 <= i < n:
        o_match = _OctalPatt.search(str, i)
        q_match = _QuotePatt.search(str, i)
        # ... (further processing)

Impact

This vulnerability has also been verified in the Django framework, where the parse_cookie() function uses this method to process incoming cookie headers. This could potentially be exploited by sending specially crafted cookie values to trigger significant delays:

• Cookie sizes of 8000+ bytes caused delays of approximately 0.15 seconds per HTTP request.
• Cookie sizes of 20000+ bytes resulted in delays of about 1 second per request.

While many environments limit HTTP request sizes, the specific limits vary, and in some cases, this vulnerability could be exploited.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Linked PRs

• gh-123067: Denial of Service Vulnerability in http.cookies._unquote() #123066
• gh-123067: Fix quadratic complexity in parsing cookies with backslashes #123075
• [3.13] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123103
• [3.12] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123104
• [3.11] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123105
• [3.10] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123106
• [3.9] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123107
• [3.8] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123108