Re: [Django] #36768: Repetitive string concatentation (in a loop) in File.__iter__ (was: File.__iter__() Quadratic-time DoS)
2 views
Skip to first unread message
Django
Dec 3, 2025, 2:15:53 PM (2 days ago) Dec 3
to django-...@googlegroups.com
#36768: Repetitive string concatentation (in a loop) in File.__iter__
--------------------------------------+------------------------------------
Reporter: wooseokdotkim | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: File uploads/storage | Version:
Severity: Normal | Resolution:
Keywords: concatenation | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Jacob Walls):
* keywords: DoS => concatenation
* stage: Unreviewed => Accepted
* summary: File.__iter__() Quadratic-time DoS => Repetitive string
concatentation (in a loop) in File.__iter__
* type: Bug => Cleanup/optimization
Comment:
Thanks for the follow-up.
> How should I patch it?
You can just collect and join the strings instead of concatenating them
during a loop.
In general, we won't audit the entire project for this pattern, but the
Security Team's rationale for directing the reporter to Trac was that we
did have a PoC of a degradation in hand, even if it was outside the bounds
of what we consider a security issue.
If you'd like to submit a PR, please set yourself in the owner field.
Thanks!
--
Ticket URL: <https://code.djangoproject.com/ticket/36768#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--------------------------------------+------------------------------------
Reporter: wooseokdotkim | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: File uploads/storage | Version:
Severity: Normal | Resolution:
Keywords: concatenation | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Jacob Walls):
* keywords: DoS => concatenation
* stage: Unreviewed => Accepted
* summary: File.__iter__() Quadratic-time DoS => Repetitive string
concatentation (in a loop) in File.__iter__
* type: Bug => Cleanup/optimization
Comment:
Thanks for the follow-up.
> How should I patch it?
You can just collect and join the strings instead of concatenating them
during a loop.
In general, we won't audit the entire project for this pattern, but the
Security Team's rationale for directing the reporter to Trac was that we
did have a PoC of a degradation in hand, even if it was outside the bounds
of what we consider a security issue.
If you'd like to submit a PR, please set yourself in the owner field.
Thanks!
--
Ticket URL: <https://code.djangoproject.com/ticket/36768#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Reply all
Reply to author
Forward
0 new messages