-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A ReDoS vulnerability exists in ./src/configobj/validate.py #232
Comments
Opening a pull request that patches this vulnerability would be appreciated. Thank you. |
Is this security hole fixed? |
CVE-2023-26112 appears to have been assigned for this issue. |
just ping, if any PR fixed this CVE? |
I have not, and I’m not in a position to provide one.
I characterized this as a CVE on the effecting server-side config and not
something I’d expect a malicious user to be able to trigger.
…On Sun, Apr 23, 2023 at 4:07 AM swf504 ***@***.***> wrote:
just ping, if any PR fixed this CVE?
—
Reply to this email directly, view it on GitHub
<#232 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAC4YQQ3AWTPRK6GA3LPISLXCTPLXANCNFSM6AAAAAAUIUHBTI>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
@robdennis I opened a PR, #236. Please let me know if you need me to change anything. |
Any update on this one? Thanks |
A new release including a fix (#236 ?) would be appreciated. |
Dear https://github.com/DiffSK Team, please push a new release, containing these changes. Thank you for the prompt support! |
#236 is now merged; I'm trying to work out how to do a release. |
The affected code is located in validate.py-line660. It uses the vulnerable regular expression
(.+?)\((.*)\)
. When the match fails, it will cause catastrophic backtracking.I trigger the vulnerability using the python script below
I see many projects referencing this file, when run server side there has possible DOS. It is my pleasure to provide a patch to repair the ReDoS vulnerability.
The text was updated successfully, but these errors were encountered: