-
-
Notifications
You must be signed in to change notification settings - Fork 30.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gh-123067: Fix quadratic complexity in parsing cookies with backslashes #123075
gh-123067: Fix quadratic complexity in parsing cookies with backslashes #123075
Conversation
…kslashes This fixes CVE-2024-7592.
73e2aa9
to
04ac47b
Compare
Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ran the new tests with and without the changes, the approach looks good to me! Thanks @serhiy-storchaka! 🙏
Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8, 3.9, 3.10, 3.11, 3.12, 3.13. |
…values with backslashes (pythonGH-123075) This fixes CVE-2024-7592. (cherry picked from commit 44e4583) Co-authored-by: Serhiy Storchaka <[email protected]>
GH-123103 is a backport of this pull request to the 3.13 branch. |
…values with backslashes (pythonGH-123075) This fixes CVE-2024-7592. (cherry picked from commit 44e4583) Co-authored-by: Serhiy Storchaka <[email protected]>
GH-123104 is a backport of this pull request to the 3.12 branch. |
…values with backslashes (pythonGH-123075) This fixes CVE-2024-7592. (cherry picked from commit 44e4583) Co-authored-by: Serhiy Storchaka <[email protected]>
GH-123105 is a backport of this pull request to the 3.11 branch. |
…values with backslashes (pythonGH-123075) This fixes CVE-2024-7592. (cherry picked from commit 44e4583) Co-authored-by: Serhiy Storchaka <[email protected]>
GH-123106 is a backport of this pull request to the 3.10 branch. |
…values with backslashes (pythonGH-123075) This fixes CVE-2024-7592. (cherry picked from commit 44e4583) Co-authored-by: Serhiy Storchaka <[email protected]>
GH-123107 is a backport of this pull request to the 3.9 branch. |
…values with backslashes (pythonGH-123075) This fixes CVE-2024-7592. (cherry picked from commit 44e4583) Co-authored-by: Serhiy Storchaka <[email protected]>
GH-123108 is a backport of this pull request to the 3.8 branch. |
…values with backslashes (pythonGH-123075) This fixes CVE-2024-7592.
pythongh-123067: Fix quadratic complexity in parsing "-quoted cookie … …values with backslashes (pythonGH-123075) This fixes CVE-2024-7592.
pythongh-123067: Fix quadratic complexity in parsing "-quoted cookie … …values with backslashes (pythonGH-123075) This fixes CVE-2024-7592. Redo tests without a subtest Backport how RegEx stuff is handled to Python2
pythongh-123067: Fix quadratic complexity in parsing "-quoted cookie … …values with backslashes (pythonGH-123075) This fixes CVE-2024-7592.
…values with backslashes (pythonGH-123075) This fixes CVE-2024-7592.
We create a patch from the PR on GitHub that address the vulerability. python/cpython#123075
… values with backslashes (GH-123075) (#123103) gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) This fixes CVE-2024-7592. (cherry picked from commit 44e4583) Co-authored-by: Serhiy Storchaka <[email protected]>
… values with backslashes (GH-123075) (#123104) gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) This fixes CVE-2024-7592. (cherry picked from commit 44e4583) Co-authored-by: Serhiy Storchaka <[email protected]>
…values with backslashes (GH-123075) (#123108) This fixes CVE-2024-7592. (cherry picked from commit 44e4583) Co-authored-by: Serhiy Storchaka <[email protected]>
…values with backslashes (GH-123075) (#123107) This fixes CVE-2024-7592. (cherry picked from commit 44e4583) Co-authored-by: Serhiy Storchaka <[email protected]>
… values with backslashes (GH-123075) (#123105) This fixes CVE-2024-7592. (cherry picked from commit 44e4583) Co-authored-by: Serhiy Storchaka <[email protected]>
… values with backslashes (GH-123075) (#123106) This fixes CVE-2024-7592. (cherry picked from commit 44e4583) Co-authored-by: Serhiy Storchaka <[email protected]>
This fixes CVE-2024-7592.
http.cookies._unquote()
#123067