CVE-2024-7592: Denial of Service Vulnerability in http.cookies._unquote()

[ch4n3-yoon]

Bug report

Bug description:

Description

A potential Denial of Service (DoS) vulnerability, identified as CVE-2024-7592, has been discovered in the _unquote() method of the http.cookies module in Python's standard library. This vulnerability is particularly concerning as it affects frameworks that utilize this method, including Django.

Vulnerable Code

The _unquote() function uses regular expressions _OctalPatt and _QuotePatt within a while loop to process input strings. The problematic patterns and their application can lead to exponential time complexity under certain conditions, akin to a Regular Expression Denial of Service (ReDoS) attack.

# http/cookies.py
_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
_QuotePatt = re.compile(r"[\\].")
def _unquote(str):
    # ... (code omitted for brevity)
    while 0 <= i < n:
        o_match = _OctalPatt.search(str, i)
        q_match = _QuotePatt.search(str, i)
        # ... (further processing)

Impact

This vulnerability has also been verified in the Django framework, where the parse_cookie() function uses this method to process incoming cookie headers. This could potentially be exploited by sending specially crafted cookie values to trigger significant delays:

• Cookie sizes of 8000+ bytes caused delays of approximately 0.15 seconds per HTTP request.
• Cookie sizes of 20000+ bytes resulted in delays of about 1 second per request.

While many environments limit HTTP request sizes, the specific limits vary, and in some cases, this vulnerability could be exploited.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Linked PRs

• gh-123067: Denial of Service Vulnerability in http.cookies._unquote() #123066
• gh-123067: Fix quadratic complexity in parsing cookies with backslashes #123075
• [3.13] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123103
• [3.12] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123104
• [3.11] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123105
• [3.10] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123106
• [3.9] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123107
• [3.8] gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) #123108

[serhiy-storchaka]

The complexity is quadratic, not exponential.

[sethmlarson]

Closed in #123075

[hauntsaninja]

@sethmlarson looks like the backports are all unmerged (usually we keep the issue open till that's done)
Do you know if there's anything we're waiting on to merge them? If not, I can at least merge to 3.13 and 3.12! :-)

[sethmlarson]

@hauntsaninja I don't think there's anything blocking the backports!

[hauntsaninja]

Great, I merged to 3.13 and 3.12, the other branches will need the RM to merge

[serhiy-storchaka]

AFAIK backports to 3.13 should be approved by other core developer. This is why I did not merge them myself.