regex infinite loop with 100% cpu use in django.forms.fields.email_re - DOS hole?
davisd
from django.forms.fields import email_re
email_re.match
('viewx3dte...@yahoo.comx26latlngx3d15854521645943074058')
will cause CPU to shoot up 100% and the process will hang forever.
Since this is the regex used to validate EmailField on forms, won't
this DOS a live site?
Where should I report this?
Is there a better way to validate an email address?
davisd
All I had to do was put the email address in the contact form.
-David
On Oct 9, 1:13 pm, davisd <davisd.dav...@gmail.com> wrote:
> After hours of debugging, I found that:
>
> from django.forms.fields import email_re
> email_re.match
Juan Hernandez
In [41]: from django.forms.fields
django.forms.fields
In [41]: from django.forms.fields import email_re
In [42]: email_re.match('viewx3dte...@yahoo.comx26latlngx3d15854521645943074058')
and this is what top shows:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
13886 juan 20 0 17556 12m 1992 R 95 1.3 0:59.61 ipython
and stays like that for ever...
James Bennett
We've confirmed the problem. We're working on a patch.
In the meantime, everybody go meditate on the documentation for how to
report security issues.
--
"Bureaucrat Conrad, you are technically correct -- the best kind of correct."
davisd
I posted. I'm just getting into this open source goodness and I'm not
really sure how it's supposed to operate yet.
I did consult the documentation: http://docs.djangoproject.com/en/dev/internals/contributing/
Jacob:
I'm running django from SVN
Python 2.6.2
I believe the Operating system is moot- it's all in the python.
Linux kernel 2.6.31-11, but also 2.6.18.8 -
I'm wondering if a multithreaded webserver setup would be more guarded
against this sort of thing?
Karen Tracey
I'm wondering if a multithreaded webserver setup would be more guarded
against this sort of thing?
Yeah, but. When I tried this on my own production server (Apache/mod_wsgi) the process handling the request that caused the problem was killed after the deadlock timeout was reached. But deadlock timeout can't really protect you from a determined denial of service attack, so it's still a problem in Django.
Karen
Jacob Kaplan-Moss
This was indeed a security exploit, and it has been fixed. See
http://www.djangoproject.com/weblog/2009/oct/09/security/ for details.
Jacob
Tom Evans
> Sorry for the public disclosure... I did email django security after
> I posted. I'm just getting into this open source goodness and I'm not
> really sure how it's supposed to operate yet.
>
> I did consult the documentation: http://docs.djangoproject.com/en/dev/internals/contributing/
>
> Jacob:
> I'm running django from SVN
> Python 2.6.2
> I believe the Operating system is moot- it's all in the python.
> Linux kernel 2.6.31-11, but also 2.6.18.8 -
>
> I'm wondering if a multithreaded webserver setup would be more guarded
> against this sort of thing?
>
This bug has no effect on FreeBSD systems I've tested, so it looks like
it is OS specific.
FreeBSD 7.0, 7.1, 7.2 + python 2.5.4 work fine.
> $ time python -c "from django.forms.fields import email_re; email_re.match('viewx3dte...@yahoo.comx26latlngx3d15854521645943074058'); import django; print django.VERSION"
(1, 1, 0, 'final', 0)
real 0m0.086s
user 0m0.055s
sys 0m0.029s
Linux 2.6.27 + python 2.5.4 fails.
> $ time python -c "from django.forms.fields import email_re; email_re.match('viewx3dte...@yahoo.comx26latlngx3d15854521645943074058'); import django; print django.VERSION"
^CTraceback (most recent call last):
File "<string>", line 1, in <module>
KeyboardInterrupt
real 0m21.317s
user 0m21.173s
sys 0m0.044s
Cheers
Tom