Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upbpo-37461: Fix infinite loop in parsing of specially crafted email headers #14794
+12
−0
Conversation
…aders. Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop.
This comment has been minimized.
This comment has been minimized.
|
working on adding tests and NEWS entry. |
This comment has been minimized.
This comment has been minimized.
|
I have added a slightly different test case than given in BPO and that fails with a different exception. I'll keep this PR around and convert it to a WIP, while I figure out what is going on. I may need to dig deeper than I originally thought and might need more time :) |
maxking
changed the title
This comment has been minimized.
This comment has been minimized.
|
/cc @bitdancer |
This comment has been minimized.
This comment has been minimized.
|
@maxking Instead of using WIP, you can also start the PR as a draft and open it once the tests are passing. I don't think it's possible to do this for a PR that's already been opened, but just for any future PRs it's a useful feature that I've started using recently. |
This comment has been minimized.
This comment has been minimized.
|
@aeros167 Yeah, I added the tests after I opened the PR, which is why I had to switch it to WIP. It is a feature in Gitlab, which I more frequently use, where you can switch between WIP PRs (a.k.a draft PR) and normal ones by just adding the WIP: prefix. Thanks for the tip though, I should have opened a draft PR initially. |
maxking
changed the title
This comment has been minimized.
This comment has been minimized.
|
So, I think my initial solution was correct, but my test case was wrong. That is a separate bug and I am working on a separate PR to fix that. Pushed a fix and I think this is ready for a review now. Fingers crossed for the tests (they passed locally) ;-) |
This comment has been minimized.
This comment has been minimized.
miss-islington
commented
Jul 17, 2019
This comment has been minimized.
This comment has been minimized.
miss-islington
commented
Jul 17, 2019
|
I'm having trouble backporting to |
miss-islington
added a commit
to miss-islington/cpython
that referenced
this pull request
Jul 17, 2019
…aders (pythonGH-14794) * bpo-37461: Fix infinite loop in parsing of specially crafted email headers. Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop. (cherry picked from commit a4a994b) Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
This comment has been minimized.
This comment has been minimized.
bedevere-bot
commented
Jul 17, 2019
|
GH-14816 is a backport of this pull request to the 3.7 branch. |
miss-islington
added a commit
to miss-islington/cpython
that referenced
this pull request
Jul 17, 2019
…aders (pythonGH-14794) * bpo-37461: Fix infinite loop in parsing of specially crafted email headers. Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop. (cherry picked from commit a4a994b) Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
This comment has been minimized.
This comment has been minimized.
bedevere-bot
commented
Jul 17, 2019
|
GH-14817 is a backport of this pull request to the 3.6 branch. |
This comment has been minimized.
This comment has been minimized.
miss-islington
commented
Jul 17, 2019
warsaw
added
needs backport to 3.7
needs backport to 3.8
and removed
needs backport to 3.8
labels
This comment has been minimized.
This comment has been minimized.
miss-islington
commented
Jul 17, 2019
This comment has been minimized.
This comment has been minimized.
miss-islington
commented
Jul 17, 2019
miss-islington
added a commit
to miss-islington/cpython
that referenced
this pull request
Jul 17, 2019
…aders (pythonGH-14794) * bpo-37461: Fix infinite loop in parsing of specially crafted email headers. Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop. (cherry picked from commit a4a994b) Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
This comment has been minimized.
This comment has been minimized.
bedevere-bot
commented
Jul 17, 2019
|
GH-14818 is a backport of this pull request to the 3.8 branch. |
miss-islington
added a commit
that referenced
this pull request
Jul 17, 2019
…aders (GH-14794) * bpo-37461: Fix infinite loop in parsing of specially crafted email headers. Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop. (cherry picked from commit a4a994b) Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
miss-islington
added a commit
that referenced
this pull request
Jul 17, 2019
…aders (GH-14794) * bpo-37461: Fix infinite loop in parsing of specially crafted email headers. Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop. (cherry picked from commit a4a994b) Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
ned-deily
added a commit
that referenced
this pull request
Aug 1, 2019
…aders (GH-14794) (GH-14817) Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop. (cherry picked from commit a4a994b) Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
LorenzMende
added a commit
to LorenzMende/cpython
that referenced
this pull request
Aug 11, 2019
…aders (pythonGH-14794) * bpo-37461: Fix infinite loop in parsing of specially crafted email headers. Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop.
maxking
added a commit
to maxking/cpython-1
that referenced
this pull request
Aug 24, 2019
…ail headers (pythonGH-14794) * bpo-37461: Fix infinite loop in parsing of specially crafted email headers. Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop. (cherry picked from commit a4a994b) Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com>
larryhastings
added a commit
that referenced
this pull request
Sep 7, 2019
…ail headers (GH-14794) (#15446) * [3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop. (cherry picked from commit a4a994b) Co-authored-by: Abhilash Raj <maxking@users.noreply.github.com> Co-Authored-By: Ashwin Ramaswami <aramaswamis@gmail.com>
lisroach
added a commit
to lisroach/cpython
that referenced
this pull request
Sep 10, 2019
…aders (pythonGH-14794) * bpo-37461: Fix infinite loop in parsing of specially crafted email headers. Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop.
vrpolakatcisco
added a commit
to vrpolakatcisco/cpython
that referenced
this pull request
Sep 12, 2019
…aders (pythonGH-14794) * bpo-37461: Fix infinite loop in parsing of specially crafted email headers. Some crafted email header would cause the get_parameter method to run in an infinite loop causing a DoS attack surface when parsing those headers. This patch fixes that by making sure the DQUOTE character is handled to prevent going into an infinite loop.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
maxking commentedJul 16, 2019
•
edited by bedevere-bot
Some crafted email header would cause the get_parameter method to run in an
infinite loop causing a DoS attack surface when parsing those headers. This
patch fixes that by making sure the DQUOTE character is handled to prevent
going into an infinite loop.
https://bugs.python.org/issue37461