Regular Expression Denial of Service in http.cookiejar¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.
The regex http.cookiejar.LOOSE_HTTP_DATE_RE
is vulnerable to regular
expression denial of service (“REDoS”). LOOSE_HTTP_DATE_RE.match()
is
called when using http.cookiejar.CookieJar
to parse Set-Cookie
headers returned by a HTTP server. Processing a response from a malicious
HTTP server can lead to extreme CPU usage and execution will be blocked
for a long time.
Dates:
- Disclosure date: 2019-11-14 (Python issue bpo-38804 reported)
Fixed In¶
- Python 2.7.18 (2020-04-19) fixed by commit e649903 (branch 2.7) (2019-11-24)
- Python 3.5.10 (2020-09-05) fixed by commit 55a6a16 (branch 3.5) (2020-04-03)
- Python 3.6.10 (2019-12-18) fixed by commit 0716056 (branch 3.6) (2019-11-22)
- Python 3.7.6 (2019-12-18) fixed by commit cb60851 (branch 3.7) (2019-11-22)
- Python 3.8.1 (2019-12-18) fixed by commit a1e1be4 (branch 3.8) (2019-11-22)
- Python 3.9.0 (2020-10-05) fixed by commit 1b779bf (branch 3.9) (2019-11-22)
Python issue¶
Regular Expression Denial of Service in http.cookiejar.
- Python issue: bpo-38804
- Creation date: 2019-11-14
- Reporter: Ben Caller
Timeline¶
Timeline using the disclosure date 2019-11-14 as reference:
- 2019-11-14: Python issue bpo-38804 reported by Ben Caller
- 2019-11-22 (+8 days): commit 0716056 (branch 3.6)
- 2019-11-22 (+8 days): commit 1b779bf (branch 3.9)
- 2019-11-22 (+8 days): commit a1e1be4 (branch 3.8)
- 2019-11-22 (+8 days): commit cb60851 (branch 3.7)
- 2019-11-24 (+10 days): commit e649903 (branch 2.7)
- 2019-12-18 (+34 days): Python 3.6.10 released
- 2019-12-18 (+34 days): Python 3.7.6 released
- 2019-12-18 (+34 days): Python 3.8.1 released
- 2020-04-03 (+141 days): commit 55a6a16 (branch 3.5)
- 2020-04-19 (+157 days): Python 2.7.18 released
- 2020-09-05 (+296 days): Python 3.5.10 released
- 2020-10-05: Python 3.9.0 released