python39/CVE-2024-6232-cookies-quad-complex.patch

From 15eec9d5076b780463c3dc73afcef688651c5295 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Sat, 17 Aug 2024 16:30:52 +0300
Subject: [PATCH] gh-123067: Fix quadratic complexity in parsing "-quoted
 cookie values with backslashes (GH-123075)

This fixes CVE-2024-7592.
(cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
---
 Lib/http/cookies.py                                                     |   34 ++------
 Lib/test/test_http_cookies.py                                           |   38 ++++++++++
 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst |    1 
 3 files changed, 47 insertions(+), 26 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst

--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -184,8 +184,13 @@ def _quote(str):
         return '"' + str.translate(_Translator) + '"'
 
 
-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
-_QuotePatt = re.compile(r"[\\].")
+_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub
+
+def _unquote_replace(m):
+    if m[1]:
+        return chr(int(m[1], 8))
+    else:
+        return m[2]
 
 def _unquote(str):
     # If there aren't any doublequotes,
@@ -205,30 +210,7 @@ def _unquote(str):
     #    \012 --> \n
     #    \"   --> "
     #
-    i = 0
-    n = len(str)
-    res = []
-    while 0 <= i < n:
-        o_match = _OctalPatt.search(str, i)
-        q_match = _QuotePatt.search(str, i)
-        if not o_match and not q_match:              # Neither matched
-            res.append(str[i:])
-            break
-        # else:
-        j = k = -1
-        if o_match:
-            j = o_match.start(0)
-        if q_match:
-            k = q_match.start(0)
-        if q_match and (not o_match or k < j):     # QuotePatt matched
-            res.append(str[i:k])
-            res.append(str[k+1])
-            i = k + 2
-        else:                                      # OctalPatt matched
-            res.append(str[i:j])
-            res.append(chr(int(str[j+1:j+4], 8)))
-            i = j + 4
-    return _nulljoin(res)
+    return _unquote_sub(_unquote_replace, str)
 
 # The _getdate() routine is used to set the expiration time in the cookie's HTTP
 # header.  By default, _getdate() returns the current time in the appropriate
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -5,6 +5,7 @@ from test.support import run_unittest, r
 import unittest
 from http import cookies
 import pickle
+from test import support
 
 
 class CookieTests(unittest.TestCase):
@@ -58,6 +59,43 @@ class CookieTests(unittest.TestCase):
             for k, v in sorted(case['dict'].items()):
                 self.assertEqual(C[k].value, v)
 
+    def test_unquote(self):
+        cases = [
+            (r'a="b=\""', 'b="'),
+            (r'a="b=\\"', 'b=\\'),
+            (r'a="b=\="', 'b=='),
+            (r'a="b=\n"', 'b=n'),
+            (r'a="b=\042"', 'b="'),
+            (r'a="b=\134"', 'b=\\'),
+            (r'a="b=\377"', 'b=\xff'),
+            (r'a="b=\400"', 'b=400'),
+            (r'a="b=\42"', 'b=42'),
+            (r'a="b=\\042"', 'b=\\042'),
+            (r'a="b=\\134"', 'b=\\134'),
+            (r'a="b=\\\""', 'b=\\"'),
+            (r'a="b=\\\042"', 'b=\\"'),
+            (r'a="b=\134\""', 'b=\\"'),
+            (r'a="b=\134\042"', 'b=\\"'),
+        ]
+        for encoded, decoded in cases:
+            with self.subTest(encoded):
+                C = cookies.SimpleCookie()
+                C.load(encoded)
+                self.assertEqual(C['a'].value, decoded)
+
+    @support.requires_resource('cpu')
+    def test_unquote_large(self):
+        n = 10**6
+        for encoded in r'\\', r'\134':
+            with self.subTest(encoded):
+                data = 'a="b=' + encoded*n + ';"'
+                C = cookies.SimpleCookie()
+                C.load(data)
+                value = C['a'].value
+                self.assertEqual(value[:3], 'b=\\')
+                self.assertEqual(value[-2:], '\\;')
+                self.assertEqual(len(value), n + 3)
+
     def test_load(self):
         C = cookies.SimpleCookie()
         C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
@@ -0,0 +1 @@
+Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`.
- Update to 3.9.20: - Tests - gh-112769: The tests now correctly compare zlib version when :const:`zlib.ZLIB_RUNTIME_VERSION` contains non-integer suffixes. For example zlib-ng defines the version as ``1.3.0.zlib-ng``. - gh-117187: Fix XML tests for vanilla Expat <2.6.0. - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for ``python -i``, as well as for ``python -m asyncio``. The event in question is ``cpython.run_stdin``. - gh-122133: Authenticate the socket connection for the ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not available like Windows. Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson <seth@python.org>. Reported by Ellie <el@horse64.org> - gh-121285: Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:`os.mkdir` on Windows now accepts mode of ``0o700`` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default. - gh-114572: :meth:`ssl.SSLContext.cert_store_stats` and :meth:`ssl.SSLContext.get_ca_certs` now correctly lock access to the certificate store, when the :class:`ssl.SSLContext` is shared across multiple threads (bsc#1226447, CVE-2024-0397). - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123270: Applied a more surgical fix for malformed payloads in OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=201 2024-09-09 22:10:25 +02:00			`From 15eec9d5076b780463c3dc73afcef688651c5295 Mon Sep 17 00:00:00 2001`
			`From: Serhiy Storchaka <storchaka@gmail.com>`
			`Date: Sat, 17 Aug 2024 16:30:52 +0300`
			`Subject: [PATCH] gh-123067: Fix quadratic complexity in parsing "-quoted`
			`cookie values with backslashes (GH-123075)`

			`This fixes CVE-2024-7592.`
			`(cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef)`

			`Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>`
			`---`
			`Lib/http/cookies.py \| 34 ++------`
			`Lib/test/test_http_cookies.py \| 38 ++++++++++`
			`Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst \| 1`
			`3 files changed, 47 insertions(+), 26 deletions(-)`
			`create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst`

			`--- a/Lib/http/cookies.py`
			`+++ b/Lib/http/cookies.py`
			`@@ -184,8 +184,13 @@ def _quote(str):`
			`return '"' + str.translate(_Translator) + '"'`


			`-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")`
			`-_QuotePatt = re.compile(r"[\\].")`
			`+_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])\|(.))').sub`
			`+`
			`+def _unquote_replace(m):`
			`+ if m[1]:`
			`+ return chr(int(m[1], 8))`
			`+ else:`
			`+ return m[2]`

			`def _unquote(str):`
			`# If there aren't any doublequotes,`
			`@@ -205,30 +210,7 @@ def _unquote(str):`
			`# \012 --> \n`
			`# \" --> "`
			`#`
			`- i = 0`
			`- n = len(str)`
			`- res = []`
			`- while 0 <= i < n:`
			`- o_match = _OctalPatt.search(str, i)`
			`- q_match = _QuotePatt.search(str, i)`
			`- if not o_match and not q_match: # Neither matched`
			`- res.append(str[i:])`
			`- break`
			`- # else:`
			`- j = k = -1`
			`- if o_match:`
			`- j = o_match.start(0)`
			`- if q_match:`
			`- k = q_match.start(0)`
			`- if q_match and (not o_match or k < j): # QuotePatt matched`
			`- res.append(str[i:k])`
			`- res.append(str[k+1])`
			`- i = k + 2`
			`- else: # OctalPatt matched`
			`- res.append(str[i:j])`
			`- res.append(chr(int(str[j+1:j+4], 8)))`
			`- i = j + 4`
			`- return _nulljoin(res)`
			`+ return _unquote_sub(_unquote_replace, str)`

			`# The _getdate() routine is used to set the expiration time in the cookie's HTTP`
			`# header. By default, _getdate() returns the current time in the appropriate`
			`--- a/Lib/test/test_http_cookies.py`
			`+++ b/Lib/test/test_http_cookies.py`
			`@@ -5,6 +5,7 @@ from test.support import run_unittest, r`
			`import unittest`
			`from http import cookies`
			`import pickle`
			`+from test import support`


			`class CookieTests(unittest.TestCase):`
			`@@ -58,6 +59,43 @@ class CookieTests(unittest.TestCase):`
			`for k, v in sorted(case['dict'].items()):`
			`self.assertEqual(C[k].value, v)`

			`+ def test_unquote(self):`
			`+ cases = [`
			`+ (r'a="b=\""', 'b="'),`
			`+ (r'a="b=\\"', 'b=\\'),`
			`+ (r'a="b=\="', 'b=='),`
			`+ (r'a="b=\n"', 'b=n'),`
			`+ (r'a="b=\042"', 'b="'),`
			`+ (r'a="b=\134"', 'b=\\'),`
			`+ (r'a="b=\377"', 'b=\xff'),`
			`+ (r'a="b=\400"', 'b=400'),`
			`+ (r'a="b=\42"', 'b=42'),`
			`+ (r'a="b=\\042"', 'b=\\042'),`
			`+ (r'a="b=\\134"', 'b=\\134'),`
			`+ (r'a="b=\\\""', 'b=\\"'),`
			`+ (r'a="b=\\\042"', 'b=\\"'),`
			`+ (r'a="b=\134\""', 'b=\\"'),`
			`+ (r'a="b=\134\042"', 'b=\\"'),`
			`+ ]`
			`+ for encoded, decoded in cases:`
			`+ with self.subTest(encoded):`
			`+ C = cookies.SimpleCookie()`
			`+ C.load(encoded)`
			`+ self.assertEqual(C['a'].value, decoded)`
			`+`
			`+ @support.requires_resource('cpu')`
			`+ def test_unquote_large(self):`
			`+ n = 10**6`
			`+ for encoded in r'\\', r'\134':`
			`+ with self.subTest(encoded):`
			`+ data = 'a="b=' + encoded*n + ';"'`
			`+ C = cookies.SimpleCookie()`
			`+ C.load(data)`
			`+ value = C['a'].value`
			`+ self.assertEqual(value[:3], 'b=\\')`
			`+ self.assertEqual(value[-2:], '\\;')`
			`+ self.assertEqual(len(value), n + 3)`
			`+`
			`def test_load(self):`
			`C = cookies.SimpleCookie()`
			`C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')`
			`--- /dev/null`
			`+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst`
			`@@ -0,0 +1 @@`
			+Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`.