.. _cookiejar-redos:

Regular Expression Denial of Service in http.cookiejar
======================================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This database can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=PSF>`_.

The regex ``http.cookiejar.LOOSE_HTTP_DATE_RE`` is vulnerable to regular
expression denial of service ("REDoS"). ``LOOSE_HTTP_DATE_RE.match()`` is
called when using ``http.cookiejar.CookieJar`` to parse ``Set-Cookie``
headers returned by a HTTP server. Processing a response from a malicious
HTTP server can lead to extreme CPU usage and execution will be blocked
for a long time.

Dates:

* Disclosure date: **2019-11-14** (Python issue bpo-38804 reported)

Fixed In
--------

* Python **2.7.18** (2020-04-19) fixed by `commit e649903 (branch 2.7) <https://github.com/python/cpython/commit/e6499033032d5b647e43a3b49da0c1c64b151743>`_ (2019-11-24)
* Python **3.5.10** (2020-09-05) fixed by `commit 55a6a16 (branch 3.5) <https://github.com/python/cpython/commit/55a6a16a46239a71b635584e532feb8b17ae7fdf>`_ (2020-04-03)
* Python **3.6.10** (2019-12-18) fixed by `commit 0716056 (branch 3.6) <https://github.com/python/cpython/commit/0716056c49e9505041e30386dad9b2e788f67aaf>`_ (2019-11-22)
* Python **3.7.6** (2019-12-18) fixed by `commit cb60851 (branch 3.7) <https://github.com/python/cpython/commit/cb6085138a845f8324adc011b65754acc2086cc0>`_ (2019-11-22)
* Python **3.8.1** (2019-12-18) fixed by `commit a1e1be4 (branch 3.8) <https://github.com/python/cpython/commit/a1e1be4c4969c7c20c8c958e5ab5279ae6a66a16>`_ (2019-11-22)
* Python **3.9.0** (2020-10-05) fixed by `commit 1b779bf (branch 3.9) <https://github.com/python/cpython/commit/1b779bfb8593739b11cbb988ef82a883ec9d077e>`_ (2019-11-22)

Python issue
------------

Regular Expression Denial of Service in http.cookiejar.

* Python issue: `bpo-38804 <https://bugs.python.org/issue38804>`_
* Creation date: 2019-11-14
* Reporter: Ben Caller

Timeline
--------

Timeline using the disclosure date **2019-11-14** as reference:

* 2019-11-14: `Python issue bpo-38804 <https://bugs.python.org/issue38804>`_ reported by Ben Caller
* 2019-11-22 (**+8 days**): `commit 0716056 (branch 3.6) <https://github.com/python/cpython/commit/0716056c49e9505041e30386dad9b2e788f67aaf>`_
* 2019-11-22 (**+8 days**): `commit 1b779bf (branch 3.9) <https://github.com/python/cpython/commit/1b779bfb8593739b11cbb988ef82a883ec9d077e>`_
* 2019-11-22 (**+8 days**): `commit a1e1be4 (branch 3.8) <https://github.com/python/cpython/commit/a1e1be4c4969c7c20c8c958e5ab5279ae6a66a16>`_
* 2019-11-22 (**+8 days**): `commit cb60851 (branch 3.7) <https://github.com/python/cpython/commit/cb6085138a845f8324adc011b65754acc2086cc0>`_
* 2019-11-24 (**+10 days**): `commit e649903 (branch 2.7) <https://github.com/python/cpython/commit/e6499033032d5b647e43a3b49da0c1c64b151743>`_
* 2019-12-18 (**+34 days**): Python 3.6.10 released
* 2019-12-18 (**+34 days**): Python 3.7.6 released
* 2019-12-18 (**+34 days**): Python 3.8.1 released
* 2020-04-03 (**+141 days**): `commit 55a6a16 (branch 3.5) <https://github.com/python/cpython/commit/55a6a16a46239a71b635584e532feb8b17ae7fdf>`_
* 2020-04-19 (**+157 days**): Python 2.7.18 released
* 2020-09-05 (**+296 days**): Python 3.5.10 released
* 2020-10-05: Python 3.9.0 released

Links
-----

* https://access.redhat.com/security/cve/CVE-2019-16935