Regular Expression Denial of Service in http.cookiejar

The regex http.cookiejar.LOOSE_HTTP_DATE_RE is vulnerable to regular expression denial of service (“REDoS”). LOOSE_HTTP_DATE_RE.match() is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a HTTP server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time.

• Disclosure date: 2019-11-14 (Python issue bpo-38804 reported)

Fixed In

• Python 2.7.18 (2020-04-19) fixed by commit e649903 (branch 2.7) (2019-11-24)
• Python 3.5.10 (2020-09-05) fixed by commit 55a6a16 (branch 3.5) (2020-04-03)
• Python 3.6.10 (2019-12-18) fixed by commit 0716056 (branch 3.6) (2019-11-22)
• Python 3.7.6 (2019-12-18) fixed by commit cb60851 (branch 3.7) (2019-11-22)
• Python 3.8.1 (2019-12-18) fixed by commit a1e1be4 (branch 3.8) (2019-11-22)
• Python 3.9.0 (2020-10-05) fixed by commit 1b779bf (branch 3.9) (2019-11-22)

Python issue

Regular Expression Denial of Service in http.cookiejar.

• Python issue: bpo-38804
• Creation date: 2019-11-14
• Reporter: Ben Caller

Timeline

Timeline using the disclosure date 2019-11-14 as reference:

• 2019-11-14: Python issue bpo-38804 reported by Ben Caller
• 2019-11-22 (+8 days): commit 0716056 (branch 3.6)
• 2019-11-22 (+8 days): commit 1b779bf (branch 3.9)
• 2019-11-22 (+8 days): commit a1e1be4 (branch 3.8)
• 2019-11-22 (+8 days): commit cb60851 (branch 3.7)
• 2019-11-24 (+10 days): commit e649903 (branch 2.7)
• 2019-12-18 (+34 days): Python 3.6.10 released
• 2019-12-18 (+34 days): Python 3.7.6 released
• 2019-12-18 (+34 days): Python 3.8.1 released
• 2020-04-03 (+141 days): commit 55a6a16 (branch 3.5)
• 2020-04-19 (+157 days): Python 2.7.18 released
• 2020-09-05 (+296 days): Python 3.5.10 released
• 2020-10-05: Python 3.9.0 released

Links

• https://access.redhat.com/security/cve/CVE-2019-16935