A Series of Simple DOS Vulnerabilities

[kexinoh]

Bug report

Bug description:

We have identified a series of simple quadratic complexity vulnerabilities. After confirmation by CPython's security team, since these DOS vulnerabilities pose a low threat and are relatively tedious to exploit, we can directly initiate requests in issues to seek assistance from the community for fixes.
Below are the specific locations of the different complexity issues we discovered.

1.

cpython/Lib/posixpath.py

Line 290 in f49a07b

def expandvars(path):

2.

cpython/Lib/email/message.py

Line 73 in 5ab66a8

def _parseparam(s):

3.

cpython/Lib/idlelib/editor.py

Line 1206 in 5ab66a8

while methodname[:1] == '<':

4.

cpython/Lib/email/_header_value_parser.py

Line 1424 in 5ab66a8

def get_phrase(value):

5.

cpython/Lib/email/_header_value_parser.py

Line 1506 in 5ab66a8

while value and (value[0]=='\\' or value[0] not in PHRASE_ENDS):

6.

cpython/Lib/email/_header_value_parser.py

Line 1688 in 5ab66a8

value = value[1:]

7.

cpython/Lib/email/_header_value_parser.py

Line 1697 in 5ab66a8

value = value[1:]

8.

cpython/Lib/email/_header_value_parser.py

Line 1847 in 5ab66a8

value = value[1:]

9.

cpython/Lib/email/_header_value_parser.py

Line 2200 in 5ab66a8

value = value[1:]

10.

cpython/Lib/email/_header_value_parser.py

Line 2231 in 5ab66a8

value = value[1:]

11.

cpython/Lib/email/_header_value_parser.py

Line 2260 in 5ab66a8

value = value[1:]

12.

cpython/Lib/email/_header_value_parser.py

Line 2411 in 5ab66a8

value = value[1:]

13.

cpython/Lib/email/_header_value_parser.py

Line 2570 in 5ab66a8

value = value[1:]

14.

cpython/Lib/email/_header_value_parser.py

Line 2642 in 5ab66a8

value = value[1:]

15.

cpython/Lib/email/_header_value_parser.py

Line 2762 in 5ab66a8

value = value[1:]

16.

cpython/Lib/email/_header_value_parser.py

Line 2965 in 5ab66a8

to_encode = to_encode[1:]

17.

cpython/Tools/freeze/checkextensions.py

Line 72 in e64395e

def expandvars(str, vars):

18.

cpython/Lib/ntpath.py

Line 403 in cb8a72b

def expandvars(path):

19.

cpython/Lib/idlelib/editor.py

Line 1373 in 5ab66a8

while True:

20.

cpython/Lib/idlelib/editor.py

Line 1454 in 98a5b83

while line and line[-1] in " \t":

21.

cpython/Lib/platform.py

Line 642 in 98a5b83

while platform and platform[-1] == '-':

Current repair status:

03/19 has been fixed. @johnzhou721
1 has been fixed. @Wulian233
2/4/5/6/7/8/9/10/11/12/13/14/15/16 has been fixed. @picnixz
1/18 has been fixed. @serhiy-storchaka

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Credits

Finder is kexinoh (Xiangfan Wu) from QI-ANXIN Technology Research Institute.

Linked PRs

• gh-134873: Fix a DOS issue in idlelib #134874
• gh-134873: Fix a DOS issue in posixpath #134927
• gh-134873: fix various quadratic worst-time complexities in _header_value_parser.py [WIP] #134947
• gh-134873: Fix quadratic complexity in os.path.expandvars() #134952

[johnzhou721]

I'll try to fix this. Working on a PR...

[johnzhou721]

Nevermind... I won't have time to work on this... this will need extensive refactoring since you also need to fix things like get_fws.

[johnzhou721]

OK I am able to fix one trivial case of this issue.

[kexinoh]

Okay, I will maintain a note in the issue regarding the completed repair part. I hope others can complete the remaining sections.