Skip to content

gh-123067: Fix quadratic complexity in parsing cookies with backslashes #123075

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 17, 2024
Merged

gh-123067: Fix quadratic complexity in parsing cookies with backslashes #123075

merged 4 commits into from
Aug 17, 2024

Conversation

serhiy-storchaka
Copy link
Member

@serhiy-storchaka serhiy-storchaka commented Aug 16, 2024
edited by bedevere-app bot
Loading

@serhiy-storchaka serhiy-storchaka added type-security A security issue needs backport to 3.8 needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Aug 16, 2024
@bedevere-app bedevere-app bot mentioned this pull request Aug 16, 2024
Closed
@serhiy-storchaka serhiy-storchaka force-pushed the http-coockies-optimize-re branch from 73e2aa9 to 04ac47b Compare August 16, 2024 16:22
@serhiy-storchaka serhiy-storchaka mentioned this pull request Aug 16, 2024
Closed
sethmlarson
sethmlarson approved these changes Aug 16, 2024
View reviewed changes
Copy link
Contributor

@sethmlarson sethmlarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ran the new tests with and without the changes, the approach looks good to me! Thanks @serhiy-storchaka! 🙏
@serhiy-storchaka serhiy-storchaka merged commit 44e4583 into python:main Aug 17, 2024
34 checks passed
@miss-islington-app
Copy link

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8, 3.9, 3.10, 3.11, 3.12, 3.13.
🐍🍒⛏🤖
@serhiy-storchaka serhiy-storchaka deleted the http-coockies-optimize-re branch August 17, 2024 13:30
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Aug 17, 2024
@serhiy-storchaka @miss-islington
pythongh-123067: Fix quadratic complexity in parsing "-quoted cookie …
70390bb 
…values with backslashes (pythonGH-123075)

This fixes CVE-2024-7592.
(cherry picked from commit 44e4583)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Aug 17, 2024

GH-123103 is a backport of this pull request to the 3.13 branch.
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Aug 17, 2024
@serhiy-storchaka @miss-islington
pythongh-123067: Fix quadratic complexity in parsing "-quoted cookie …
6a33a68 
…values with backslashes (pythonGH-123075)

This fixes CVE-2024-7592.
(cherry picked from commit 44e4583)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Aug 17, 2024
@bedevere-app
Copy link

bedevere-app bot commented Aug 17, 2024

GH-123104 is a backport of this pull request to the 3.12 branch.
@bedevere-app bedevere-app bot removed the needs backport to 3.12 only security fixes label Aug 17, 2024
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Aug 17, 2024
@serhiy-storchaka @miss-islington
pythongh-123067: Fix quadratic complexity in parsing "-quoted cookie …
dcfd909 
…values with backslashes (pythonGH-123075)

This fixes CVE-2024-7592.
(cherry picked from commit 44e4583)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Aug 17, 2024

GH-123105 is a backport of this pull request to the 3.11 branch.
@bedevere-app bedevere-app bot removed the needs backport to 3.11 only security fixes label Aug 17, 2024
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Aug 17, 2024
@serhiy-storchaka @miss-islington
pythongh-123067: Fix quadratic complexity in parsing "-quoted cookie …
c4412d3 
…values with backslashes (pythonGH-123075)

This fixes CVE-2024-7592.
(cherry picked from commit 44e4583)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Aug 17, 2024

GH-123106 is a backport of this pull request to the 3.10 branch.
@bedevere-app bedevere-app bot removed the needs backport to 3.10 only security fixes label Aug 17, 2024
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Aug 17, 2024
@serhiy-storchaka @miss-islington
pythongh-123067: Fix quadratic complexity in parsing "-quoted cookie …
15eec9d 
…values with backslashes (pythonGH-123075)

This fixes CVE-2024-7592.
(cherry picked from commit 44e4583)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Aug 17, 2024

GH-123107 is a backport of this pull request to the 3.9 branch.
@bedevere-app bedevere-app bot removed the needs backport to 3.9 only security fixes label Aug 17, 2024
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Aug 17, 2024
@serhiy-storchaka @miss-islington
pythongh-123067: Fix quadratic complexity in parsing "-quoted cookie …
fa88d41 
…values with backslashes (pythonGH-123075)

This fixes CVE-2024-7592.
(cherry picked from commit 44e4583)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Aug 17, 2024

GH-123108 is a backport of this pull request to the 3.8 branch.
jeremyhylton pushed a commit to jeremyhylton/cpython that referenced this pull request Aug 19, 2024
@serhiy-storchaka @jeremyhylton
pythongh-123067: Fix quadratic complexity in parsing "-quoted cookie …
1587608 
…values with backslashes (pythonGH-123075)

This fixes CVE-2024-7592.
rickprice added a commit to ActiveState/cpython that referenced this pull request Aug 21, 2024
@rickprice
CVE-2024-7592 Fix quadratic complexity in parsing quoted cookie
6755e54 
pythongh-123067: Fix quadratic complexity in parsing "-quoted cookie …

…values with backslashes (pythonGH-123075)

This fixes CVE-2024-7592.
rickprice added a commit to ActiveState/cpython that referenced this pull request Aug 22, 2024
@rickprice
CVE-2024-7592 Fix quadratic complexity in parsing quoted cookie
ed12fce 
pythongh-123067: Fix quadratic complexity in parsing "-quoted cookie …

…values with backslashes (pythonGH-123075)

This fixes CVE-2024-7592.

Redo tests without a subtest

Backport how RegEx stuff is handled to Python2
rickprice added a commit to ActiveState/cpython that referenced this pull request Aug 22, 2024
@rickprice
CVE-2024-7592 Fix quadratic complexity in parsing quoted cookie
096104d 
pythongh-123067: Fix quadratic complexity in parsing "-quoted cookie …

…values with backslashes (pythonGH-123075)

This fixes CVE-2024-7592.
@rickprice rickprice mentioned this pull request Aug 22, 2024
Merged
blhsing pushed a commit to blhsing/cpython that referenced this pull request Aug 22, 2024
@serhiy-storchaka @blhsing
pythongh-123067: Fix quadratic complexity in parsing "-quoted cookie …
f619de1 
…values with backslashes (pythonGH-123075)

This fixes CVE-2024-7592.
Akendo added a commit to gardenlinux/package-python3.12 that referenced this pull request Aug 22, 2024
@Akendo
Include upstream patch for python for CVE-2024-7592
031f522 
We create a patch from the PR on GitHub that address the vulerability.

python/cpython#123075
@Akendo Akendo mentioned this pull request Aug 22, 2024
Closed
hauntsaninja pushed a commit that referenced this pull request Aug 24, 2024
@miss-islington @serhiy-storchaka
[3.13] gh-123067: Fix quadratic complexity in parsing "-quoted cookie…
391e562 
… values with backslashes (GH-123075) (#123103)

gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075)

This fixes CVE-2024-7592.
(cherry picked from commit 44e4583)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
hauntsaninja pushed a commit that referenced this pull request Aug 24, 2024
@miss-islington @serhiy-storchaka
[3.12] gh-123067: Fix quadratic complexity in parsing "-quoted cookie…
dcc3eae 
… values with backslashes (GH-123075) (#123104)

gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075)

This fixes CVE-2024-7592.
(cherry picked from commit 44e4583)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
ambv pushed a commit that referenced this pull request Sep 4, 2024
@miss-islington @serhiy-storchaka
[3.8] gh-123067: Fix quadratic complexity in parsing "-quoted cookie …
a77ab24 
…values with backslashes (GH-123075) (#123108)

This fixes CVE-2024-7592.
(cherry picked from commit 44e4583)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
ambv pushed a commit that referenced this pull request Sep 4, 2024
@miss-islington @serhiy-storchaka
[3.9] gh-123067: Fix quadratic complexity in parsing "-quoted cookie …
d662e2d 
…values with backslashes (GH-123075) (#123107)

This fixes CVE-2024-7592.
(cherry picked from commit 44e4583)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
ambv pushed a commit that referenced this pull request Sep 4, 2024
@miss-islington @serhiy-storchaka
[3.11] gh-123067: Fix quadratic complexity in parsing "-quoted cookie…
d4ac921 
… values with backslashes (GH-123075) (#123105)

This fixes CVE-2024-7592.
(cherry picked from commit 44e4583)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
ambv pushed a commit that referenced this pull request Sep 4, 2024
@miss-islington @serhiy-storchaka
[3.10] gh-123067: Fix quadratic complexity in parsing "-quoted cookie…
b2f11ca 
… values with backslashes (GH-123075) (#123106)

This fixes CVE-2024-7592.
(cherry picked from commit 44e4583)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@vEpiphyte vEpiphyte mentioned this pull request Dec 19, 2024
Merged
vEpiphyte added a commit to vertexproject/synapse that referenced this pull request Dec 31, 2024
@vEpiphyte
Add http.coookies monkeypatch (SYN-8465) (#4045)
746605b 
Vendor the fixes from CPython for
GHSA-7pwv-g7hj-39pr and applies them at
import time of `synapse.common`.

python/cpython#123067
python/cpython#123075
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type-security A security issue
3 participants
@serhiy-storchaka @picnixz @sethmlarson