-
Benjamin Peterson yazdı
* Prevent low-grade poplib REDOS (CVE-2018-1060) The regex to test a mail server's timestamp is susceptible to catastrophic backtracking on long evil responses from the server. Happily, the maximum length of malicious inputs is 2K thanks to a limit introduced in the fix for CVE-2013-1752. A 2KB evil response from the mail server would result in small slowdowns (milliseconds vs. microseconds) accumulated over many apop calls. This is a potential DOS vector via accumulated slowdowns. Replace it with a similar non-vulnerable regex. The new regex is RFC compliant. The old regex was non-compliant in edge cases. * Prevent difflib REDOS (CVE-2018-1061) The default regex for IS_LINE_JUNK is susceptible to catastrophic backtracking. This is a potential DOS vector. Replace it with an equivalent non-vulnerable regex. Also introduce unit and REDOS tests for difflib. Co-authored-by:
Tim Peters <tim.peters@gmail.com> Co-authored-by: Christian Heimes <christian@python.org>. (cherry picked from commit 0e6c8ee2)
| Adı |
Son kayıt (commit)
|
Son güncelleme |
|---|---|---|
| .github | ||
| Doc | ||
| Grammar | ||
| Include | ||
| Lib | ||
| Mac | ||
| Misc | ||
| Modules | ||
| Objects | ||
| PC | ||
| PCbuild | ||
| Parser | ||
| Programs | ||
| Python | ||
| Tools | ||
| .bzrignore | ||
| .gitattributes | ||
| .gitignore | ||
| .hgignore | ||
| .travis.yml | ||
| LICENSE | ||
| Makefile.pre.in | ||
| README.rst | ||
| aclocal.m4 | ||
| config.guess | ||
| config.sub | ||
| configure | ||
| configure.ac | ||
| install-sh | ||
| pyconfig.h.in | ||
| setup.py |