Regular Expression Denial of Service in http.cookiejar¶
The regex http.cookiejar.LOOSE_HTTP_DATE_RE
is vulnerable to regular
expression denial of service (“REDoS”). LOOSE_HTTP_DATE_RE.match()
is
called when using http.cookiejar.CookieJar
to parse Set-Cookie
headers returned by a HTTP server. Processing a response from a malicious
HTTP server can lead to extreme CPU usage and execution will be blocked
for a long time.
Dates:
- Disclosure date: 2019-11-14 (Python issue bpo-38804 reported)
Fixed In¶
- Python 2.7.18 (2020-04-19) fixed by commit e649903 (branch 2.7) (2019-11-24)
- Python 3.5.10 (2020-09-05) fixed by commit 55a6a16 (branch 3.5) (2020-04-03)
- Python 3.6.10 (2019-12-18) fixed by commit 0716056 (branch 3.6) (2019-11-22)
- Python 3.7.6 (2019-12-18) fixed by commit cb60851 (branch 3.7) (2019-11-22)
- Python 3.8.1 (2019-12-18) fixed by commit a1e1be4 (branch 3.8) (2019-11-22)
- Python 3.9.0 (2020-10-05) fixed by commit 1b779bf (branch 3.9) (2019-11-22)
Python issue¶
Regular Expression Denial of Service in http.cookiejar.
- Python issue: bpo-38804
- Creation date: 2019-11-14
- Reporter: Ben Caller
Timeline¶
Timeline using the disclosure date 2019-11-14 as reference:
- 2019-11-14: Python issue bpo-38804 reported by Ben Caller
- 2019-11-22 (+8 days): commit 0716056 (branch 3.6)
- 2019-11-22 (+8 days): commit 1b779bf (branch 3.9)
- 2019-11-22 (+8 days): commit a1e1be4 (branch 3.8)
- 2019-11-22 (+8 days): commit cb60851 (branch 3.7)
- 2019-11-24 (+10 days): commit e649903 (branch 2.7)
- 2019-12-18 (+34 days): Python 3.6.10 released
- 2019-12-18 (+34 days): Python 3.7.6 released
- 2019-12-18 (+34 days): Python 3.8.1 released
- 2020-04-03 (+141 days): commit 55a6a16 (branch 3.5)
- 2020-04-19 (+157 days): Python 2.7.18 released
- 2020-09-05 (+296 days): Python 3.5.10 released
- 2020-10-05: Python 3.9.0 released