Regular Expression Denial of Service in http.cookiejar¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.
The regex http.cookiejar.LOOSE_HTTP_DATE_RE is vulnerable to regular
expression denial of service (“REDoS”). LOOSE_HTTP_DATE_RE.match() is
called when using http.cookiejar.CookieJar to parse Set-Cookie
headers returned by a HTTP server. Processing a response from a malicious
HTTP server can lead to extreme CPU usage and execution will be blocked
for a long time.
Dates:
Disclosure date: 2019-11-14 (Python issue bpo-38804 reported)
Fixed In¶
Python 2.7.18 (2020-04-19) fixed by commit e649903 (branch 2.7) (2019-11-24)
Python 3.5.10 (2020-09-05) fixed by commit 55a6a16 (branch 3.5) (2020-04-03)
Python 3.6.10 (2019-12-18) fixed by commit 0716056 (branch 3.6) (2019-11-22)
Python 3.7.6 (2019-12-18) fixed by commit cb60851 (branch 3.7) (2019-11-22)
Python 3.8.1 (2019-12-18) fixed by commit a1e1be4 (branch 3.8) (2019-11-22)
Python 3.9.0 (2020-10-05) fixed by commit 1b779bf (branch 3.9) (2019-11-22)
Python issue¶
Regular Expression Denial of Service in http.cookiejar.
Python issue: bpo-38804
Creation date: 2019-11-14
Reporter: Ben Caller
Timeline¶
Timeline using the disclosure date 2019-11-14 as reference:
2019-11-14: Python issue bpo-38804 reported by Ben Caller
2019-11-22 (+8 days): commit 0716056 (branch 3.6)
2019-11-22 (+8 days): commit 1b779bf (branch 3.9)
2019-11-22 (+8 days): commit a1e1be4 (branch 3.8)
2019-11-22 (+8 days): commit cb60851 (branch 3.7)
2019-11-24 (+10 days): commit e649903 (branch 2.7)
2019-12-18 (+34 days): Python 3.6.10 released
2019-12-18 (+34 days): Python 3.7.6 released
2019-12-18 (+34 days): Python 3.8.1 released
2020-04-03 (+141 days): commit 55a6a16 (branch 3.5)
2020-04-19 (+157 days): Python 2.7.18 released
2020-09-05 (+296 days): Python 3.5.10 released
2020-10-05: Python 3.9.0 released