Skip to content

Commit

Permalink
00394-cve-2022-45061-cpu-denial-of-service-via-inefficient-idna-decod…
Browse files Browse the repository at this point in the history
…er.patch

00394 #
pythongh-98433: Fix quadratic time idna decoding.

There was an unnecessary quadratic loop in idna decoding. This restores
the behavior to linear.

Backported from python3.

(cherry picked from commit a6f6c3a)

Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
  • Loading branch information
2 people authored and stratakis committed Dec 19, 2022
1 parent 821450b commit 5456608
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 18 deletions.
34 changes: 16 additions & 18 deletions Lib/encodings/idna.py
Original file line number Diff line number Diff line change
Expand Up @@ -38,24 +38,22 @@ def nameprep(label):
raise UnicodeError("Invalid character %r" % c)

# Check bidi
RandAL = map(stringprep.in_table_d1, label)
for c in RandAL:
if c:
# There is a RandAL char in the string. Must perform further
# tests:
# 1) The characters in section 5.8 MUST be prohibited.
# This is table C.8, which was already checked
# 2) If a string contains any RandALCat character, the string
# MUST NOT contain any LCat character.
if filter(stringprep.in_table_d2, label):
raise UnicodeError("Violation of BIDI requirement 2")

# 3) If a string contains any RandALCat character, a
# RandALCat character MUST be the first character of the
# string, and a RandALCat character MUST be the last
# character of the string.
if not RandAL[0] or not RandAL[-1]:
raise UnicodeError("Violation of BIDI requirement 3")
RandAL = [stringprep.in_table_d1(x) for x in label]
if any(RandAL):
# There is a RandAL char in the string. Must perform further
# tests:
# 1) The characters in section 5.8 MUST be prohibited.
# This is table C.8, which was already checked
# 2) If a string contains any RandALCat character, the string
# MUST NOT contain any LCat character.
if any(stringprep.in_table_d2(x) for x in label):
raise UnicodeError("Violation of BIDI requirement 2")
# 3) If a string contains any RandALCat character, a
# RandALCat character MUST be the first character of the
# string, and a RandALCat character MUST be the last
# character of the string.
if not RandAL[0] or not RandAL[-1]:
raise UnicodeError("Violation of BIDI requirement 3")

return label

Expand Down
6 changes: 6 additions & 0 deletions Lib/test/test_codecs.py
Original file line number Diff line number Diff line change
Expand Up @@ -1318,6 +1318,12 @@ def test_builtin_encode(self):
self.assertEqual(u"pyth\xf6n.org".encode("idna"), "xn--pythn-mua.org")
self.assertEqual(u"pyth\xf6n.org.".encode("idna"), "xn--pythn-mua.org.")

def test_builtin_decode_length_limit(self):
with self.assertRaisesRegexp(UnicodeError, "too long"):
(b"xn--016c"+b"a"*1100).decode("idna")
with self.assertRaisesRegexp(UnicodeError, "too long"):
(b"xn--016c"+b"a"*70).decode("idna")

def test_stream(self):
import StringIO
r = codecs.getreader("idna")(StringIO.StringIO("abc"))
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio`
related name resolution functions no longer involves a quadratic algorithm.
This prevents a potential CPU denial of service if an out-of-spec excessive
length hostname involving bidirectional characters were decoded. Some protocols
such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker
to supply such a name.

0 comments on commit 5456608

Please sign in to comment.