Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update python-future to version 0.18.2 / rev 14 via SR 1056169
https://build.opensuse.org/request/show/1056169 by user dgarcia + dimstar_suse - Add CVE-2022-40899.patch to fix REDoS in http.cookiejar gh#PythonCharmers/python-future#610 bsc#1206673
- Loading branch information
1 parent
60fea30
commit 4b7d384
Showing
5 changed files
with
98 additions
and
5 deletions.
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| Index: future-0.16.0/src/future/backports/http/cookiejar.py | ||
| =================================================================== | ||
| --- future-0.16.0.orig/src/future/backports/http/cookiejar.py | ||
| +++ future-0.16.0/src/future/backports/http/cookiejar.py | ||
| @@ -224,10 +224,14 @@ LOOSE_HTTP_DATE_RE = re.compile( | ||
| (?::(\d\d))? # optional seconds | ||
| )? # optional clock | ||
| \s* | ||
| - ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+)? # timezone | ||
| + (?: | ||
| + ([-+]?\d{2,4}|(?![APap][Mm]\b)[A-Za-z]+) # timezone | ||
| \s* | ||
| - (?:\(\w+\))? # ASCII representation of timezone in parens. | ||
| - \s*$""", re.X | re.ASCII) | ||
| + )? | ||
| + (?: | ||
| + \(\w+\) # ASCII representation of timezone in parens. | ||
| + \s* | ||
| + )?$""", re.X | re.ASCII) | ||
| def http2time(text): | ||
| """Returns time in seconds since epoch of time represented by a string. | ||
|
|
||
| @@ -297,9 +301,11 @@ ISO_DATE_RE = re.compile( | ||
| (?::?(\d\d(?:\.\d*)?))? # optional seconds (and fractional) | ||
| )? # optional clock | ||
| \s* | ||
| - ([-+]?\d\d?:?(:?\d\d)? | ||
| - |Z|z)? # timezone (Z is "zero meridian", i.e. GMT) | ||
| - \s*$""", re.X | re. ASCII) | ||
| + (?: | ||
| + ([-+]?\d\d?:?(:?\d\d)? | ||
| + |Z|z) # timezone (Z is "zero meridian", i.e. GMT) | ||
| + \s* | ||
| + )?$""", re.X | re. ASCII) | ||
| def iso2time(text): | ||
| """ | ||
| As for http2time, but parses the ISO 8601 formats: | ||
| Index: future-0.16.0/tests/test_future/test_http_cookiejar.py | ||
| =================================================================== | ||
| --- future-0.16.0.orig/tests/test_future/test_http_cookiejar.py | ||
| +++ future-0.16.0/tests/test_future/test_http_cookiejar.py | ||
| @@ -103,6 +103,14 @@ class DateTimeTests(unittest.TestCase): | ||
| "http2time(%s) is not None\n" | ||
| "http2time(test) %s" % (test, http2time(test))) | ||
|
|
||
| + def test_http2time_redos_regression_actually_completes(self): | ||
| + # LOOSE_HTTP_DATE_RE was vulnerable to malicious input which caused | ||
| + # catastrophic backtracking (REDoS). If we regress to cubic complexity, | ||
| + # this test will take a very long time to succeed. If fixed, it should | ||
| + # complete within a fraction of a second. | ||
| + http2time("01 Jan 1970{}00:00:00 GMT!".format(" " * 10 ** 5)) | ||
| + http2time("01 Jan 1970 00:00:00{}GMT!".format(" " * 10 ** 5)) | ||
| + | ||
| def test_iso2time(self): | ||
| def parse_date(text): | ||
| return time.gmtime(iso2time(text))[:6] | ||
| @@ -162,6 +170,13 @@ class DateTimeTests(unittest.TestCase): | ||
| "iso2time(%s) is not None\n" | ||
| "iso2time(test) %s" % (test, iso2time(test))) | ||
|
|
||
| + def test_iso2time_performance_regression(self): | ||
| + # If ISO_DATE_RE regresses to quadratic complexity, this test will take | ||
| + # a very long time to succeed. If fixed, it should complete within a | ||
| + # fraction of a second. | ||
| + iso2time('1994-02-03{}14:15:29 -0100!'.format(' '*10**6)) | ||
| + iso2time('1994-02-03 14:15:29{}-0100!'.format(' '*10**6)) | ||
| + | ||
|
|
||
| class HeaderTests(unittest.TestCase): | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters