-
Notifications
You must be signed in to change notification settings - Fork 291
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backport fix for bpo-38804 #610
Conversation
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). The regex contained multiple overlapping \s* capture groups. A long sequence of spaces can trigger bad performance. See python/cpython#17157 and https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
Given the huge pile of patches we're applying in Gentoo to make it work with Python 3.10, I dare say it's as dead as it can get. However, thank you for making a PR nevertheless, as it makes it easier to patch the CVE on our end (and other distros will probably appreciate that too). I just hope that GitHub's fancy bots will now start flagging the If you wish to help even some, some help in reporting the use of unmaintained library and convincing people to stop using it would be really appreciated. A lot of distro maintainers have been burned out doing exactly this, i.e. fighting the "it is my project, I can do whatever I like, however bad it is for my users" attitude. |
Thanks @mgorny! I saw there was little activity in the commit log and that there were approved PR's sitting unmerged, but I hadn't realized that the package was actually not working in recent Python versions without patching. Some good news for you is that a bot flagging CVE's in my subdependencies (though not GitHub's bot) was what led me here. I will try to encourage Luckily for me, my dependencies seem to be only referencing |
https://build.opensuse.org/request/show/1056169 by user dgarcia + dimstar_suse - Add CVE-2022-40899.patch to fix REDoS in http.cookiejar gh#PythonCharmers/python-future#610 bsc#1206673
Thanks for the fix! Now I just need to figure out how to create a release (and upload to pypi) for this project, as the last time I did was a few years ago.. |
0.18.3 released! |
Nice, @sfdye. I feel like there might not be much motivation for maintaining this package going forward, since most of the community has migrated to Python 3 by now. From what @mgorny said, there are issues with using |
Recently, a CVE was published for this project related to a CVE previously patched in Python. I am not sure if this project is still maintained any more but it is still listed as a dependency by some other popular projects, so it would be good to patch.
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular expression denial of service (REDoS). The regex contained multiple overlapping \s* capture groups. A long sequence of spaces can trigger bad performance.
See python/cpython#17157 and https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/