gh-134873: Fix a DOS issue in idlelib #134874
Conversation
|
I believe that the 6 lines from 1205 to 1210 can be replaced by 2 lines -- an re.match and an f-string. I will submit an alternate proposal later. I believe that the input |
Misc/NEWS.d/next/Security/2025-05-29-03-24-18.gh-issue-134873.dziqkQ.rst
Outdated
Show resolved
Hide resolved
|
@terryjreedy so should I leave the code for now, or should I go ahead
and replace with the re.match thing you are going to propose?
@ZeroIntensity so do you mean that active voice is preferred in
release notes? I can replace this specific case with the change that
you are suggesting, but I'm asking for advice in this aspect for
future News.
|
|
Yes, I think it can be. Will fix.
… Message ID: ***@***.***>
|
|
@johnzhou721 Lines 1373 to 1378 in 5ab66a8 As an example, I successfully utilized Gemini 2.5 Pro to generate a reasonable fix for this problem. Could you give it a try? |
|
@kexinoh Yes, I would give it a try once I have time; however, I am working on something else right now -- is it acceptable if I delay this by about a day or so? (if anyone else has a fix ready before I get to this, feel free to make a pr onto the branch of my pr and I'll merge it into my PR) |
…dziqkQ.rst Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
|
@kexinoh I have a small amount of time not enough to work on anything else before I end my day so I attempted the issue you pointed out -- but can't test though. |
Where? How? For what? Thanks! @ZeroIntensity |
We need a test case in |
|
Wait... all platforms are failing EXCEPT the one I have access to... |
This comment was marked as resolved.
This comment was marked as resolved.
|
Never mind... |
|
I've fixed the issues -- is macOS 14 not using --slow-ci? Anyways, I just scrubbed the ncharsdeleted stuff in the function and calculate it manually using length differences. @bedevere-bot I have made the requested changes, please review again |
|
I have made the requested changes; please review again |
|
Thanks for making the requested changes! @picnixz: please review the changes made to this pull request. |
Changes were made, but I'll review it tomorrow (or later this week, I'll be offline for a few days).
|
(I'm removing the request until I have time) |
|
Sidenote: I have a very hard time believing that there is any reasonable DOS in this code at all. Can someone please explain how it can be exploited? |
|
@zware Maybe have a huge indentwidth and carefully configured string of whitespaces so that want gets very small? |
|
Did you test it with real file in IDLE, not just by calling delete_trail_char_and_space()? I afraid that you will get hard time just displaying a long line containing 10000 tabulations and 10000 spaces. |
|
@serhiy will do. Yes the dos is very non exploitable and not sure if idle is used in production anyways but since it’s reported let sfix |
|
I disagree. If it is non-exploitable, it's not a DOS. Fixing it only encourages further reports of invulnerable vulnerabilities and a waste of volunteer time. That said, there does appear to be some opportunity for cleanup here. My objection is to classifying the change as "fixing a DOS" rather than to using cleaner code, at the maintainer (@terryjreedy and/or @serhiy-storchaka)'s discretion. |
|
@zware Good point! If so, we'll remove the fix for the have and want thing and only focus on the .lstrip and .rstrip part for |
A DOS by Quadratic complexity issue is fixed in idlelib. Part of (but does not fix) #134873.