[Django] #36768: File.__iter__() Quadratic-time DoS
0 views
Skip to first unread message
Django
Dec 2, 2025, 7:36:07 PM (7 hours ago) Dec 2
to django-...@googlegroups.com
#36768: File.__iter__() Quadratic-time DoS
-------------------------------+-----------------------------------------
Reporter: wooseokdotkim | Type: Bug
Status: new | Component: Uncategorized
Version: | Severity: Normal
Keywords: DoS | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+-----------------------------------------
I thought the code below could generate DoS, so I made a bug report
However, File._iter__ was not recognized as a bug because only one line
was buffered and only worked for chunks returned from File.chunks, but it
was determined that verification code for input should be added, so it was
created as an open ticket.
The code pattern is similar to CVE-2023-36053, which is already released,
so I think it needs to be modified.
code: django/core/files/base.py:89
""
def __iter__(self):
buffer_ = None
for chunk in self.chunks():
for line in chunk.splitlines(True):
if buffer_:
line = buffer_ + line # < Code!
""
How should I patch it?
--
Ticket URL: <https://code.djangoproject.com/ticket/36768>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------+-----------------------------------------
Reporter: wooseokdotkim | Type: Bug
Status: new | Component: Uncategorized
Version: | Severity: Normal
Keywords: DoS | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+-----------------------------------------
I thought the code below could generate DoS, so I made a bug report
However, File._iter__ was not recognized as a bug because only one line
was buffered and only worked for chunks returned from File.chunks, but it
was determined that verification code for input should be added, so it was
created as an open ticket.
The code pattern is similar to CVE-2023-36053, which is already released,
so I think it needs to be modified.
code: django/core/files/base.py:89
""
def __iter__(self):
buffer_ = None
for chunk in self.chunks():
for line in chunk.splitlines(True):
if buffer_:
line = buffer_ + line # < Code!
""
How should I patch it?
--
Ticket URL: <https://code.djangoproject.com/ticket/36768>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Dec 2, 2025, 7:36:36 PM (7 hours ago) Dec 2
to django-...@googlegroups.com
#36768: File.__iter__() Quadratic-time DoS
-------------------------------+--------------------------------------
Reporter: wooseokdotkim | Owner: (none)
Old description:
> I thought the code below could generate DoS, so I made a bug report
> However, File._iter__ was not recognized as a bug because only one line
> was buffered and only worked for chunks returned from File.chunks, but it
> was determined that verification code for input should be added, so it
> was created as an open ticket.
>
> The code pattern is similar to CVE-2023-36053, which is already released,
> so I think it needs to be modified.
>
> code: django/core/files/base.py:89
>
> ""
> def __iter__(self):
> buffer_ = None
> for chunk in self.chunks():
> for line in chunk.splitlines(True):
> if buffer_:
> line = buffer_ + line # < Code!
> ""
>
> How should I patch it?
New description:
I thought the code below could generate DoS, so I made a bug report
However, File._iter__ was not recognized as a bug because only one line
was buffered and only worked for chunks returned from File.chunks, but it
was determined that verification code for input should be added, so it was
created as an open ticket.
The code pattern is similar to CVE-2023-36053, which is already released,
so I think it needs to be modified.
code: django/core/files/base.py:89
{{{
def __iter__(self):
buffer_ = None
for chunk in self.chunks():
for line in chunk.splitlines(True):
if buffer_:
line = buffer_ + line # < Code!
}}}
How should I patch it?
--
--
Ticket URL: <https://code.djangoproject.com/ticket/36768#comment:1>
-------------------------------+--------------------------------------
Reporter: wooseokdotkim | Owner: (none)
Type: Bug | Status: new
Component: Uncategorized | Version:
Severity: Normal | Resolution:
Component: Uncategorized | Version:
Keywords: DoS | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Description changed by wooseokdotkim:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Old description:
> I thought the code below could generate DoS, so I made a bug report
> However, File._iter__ was not recognized as a bug because only one line
> was buffered and only worked for chunks returned from File.chunks, but it
> was determined that verification code for input should be added, so it
> was created as an open ticket.
>
> The code pattern is similar to CVE-2023-36053, which is already released,
> so I think it needs to be modified.
>
> code: django/core/files/base.py:89
>
> ""
> def __iter__(self):
> buffer_ = None
> for chunk in self.chunks():
> for line in chunk.splitlines(True):
> if buffer_:
> line = buffer_ + line # < Code!
> ""
>
> How should I patch it?
I thought the code below could generate DoS, so I made a bug report
However, File._iter__ was not recognized as a bug because only one line
was buffered and only worked for chunks returned from File.chunks, but it
was determined that verification code for input should be added, so it was
created as an open ticket.
The code pattern is similar to CVE-2023-36053, which is already released,
so I think it needs to be modified.
code: django/core/files/base.py:89
{{{
def __iter__(self):
buffer_ = None
for chunk in self.chunks():
for line in chunk.splitlines(True):
if buffer_:
line = buffer_ + line # < Code!
}}}
How should I patch it?
--
Ticket URL: <https://code.djangoproject.com/ticket/36768#comment:1>
Django
Dec 2, 2025, 10:53:12 PM (4 hours ago) Dec 2
to django-...@googlegroups.com
#36768: File.__iter__() Quadratic-time DoS
-------------------------------+--------------------------------------
Reporter: wooseokdotkim | Owner: (none)
Type: Bug | Status: new
Component: Uncategorized | Version:
Severity: Normal | Resolution:
Keywords: DoS | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Changes (by Pravin):
-------------------------------+--------------------------------------
Reporter: wooseokdotkim | Owner: (none)
Type: Bug | Status: new
Component: Uncategorized | Version:
Severity: Normal | Resolution:
Keywords: DoS | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
* cc: Pravin (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/36768#comment:2>
Reply all
Reply to author
Forward
0 new messages