Merge pull request from GHSA-73m2-3pwg-5fgc

digitalresistor · web-flow · commit 6e46f9e3f014 · 2020-02-02T21:45:15.000-08:00
Fix catastrophic backtracking in regular expression
diff --git a/waitress/rfc7230.py b/waitress/rfc7230.py
@@ -40,13 +40,13 @@
 #                  field-vchar ]
 
 FIELD_VCHAR = "[" + VCHAR + OBS_TEXT + "]"
-FIELD_CONTENT = FIELD_VCHAR + "([ \t" + VCHAR + OBS_TEXT + "]+" + FIELD_VCHAR + "){,1}"
-FIELD_VALUE = "(" + FIELD_CONTENT + "){0,}"
+# Field content is more greedy than the ABNF, in that it will match the whole value
+FIELD_CONTENT = FIELD_VCHAR + "+(?:[ \t]+" + FIELD_VCHAR + "+)*"
+# Which allows the field value here to just see if there is even a value in the first place
+FIELD_VALUE = "(?:" + FIELD_CONTENT + ")?"
 
 HEADER_FIELD = re.compile(
     tobytes(
         "^(?P<name>" + TOKEN + "):" + OWS + "(?P<value>" + FIELD_VALUE + ")" + OWS + "$"
     )
 )
-
-OWS_STRIP = re.compile(OWS + "(?P<value>.*?)" + OWS)
diff --git a/waitress/tests/test_parser.py b/waitress/tests/test_parser.py
@@ -55,6 +55,7 @@ def test_received_bad_host_header(self):
 
     def test_received_bad_transfer_encoding(self):
         from waitress.utilities import ServerNotImplemented
+
         data = (
             b"GET /foobar HTTP/1.1\r\n"
             b"Transfer-Encoding: foo\r\n"
@@ -211,7 +212,6 @@ def test_parse_header_11_te_chunked(self):
         self.parser.parse_header(data)
         self.assertEqual(self.parser.body_rcv.__class__.__name__, "ChunkedReceiver")
 
-
     def test_parse_header_transfer_encoding_invalid(self):
         from waitress.parser import TransferEncodingNotImplemented
 
@@ -377,7 +377,7 @@ def test_parse_header_invalid_folding_spacing(self):
     def test_parse_header_invalid_chars(self):
         from waitress.parser import ParsingError
 
-        data = b"GET /foobar HTTP/1.1\r\nfoo: bar\r\n\foo: \x0bbaz\r\n"
+        data = b"GET /foobar HTTP/1.1\r\nfoo: bar\r\nfoo: \x0bbaz\r\n"
         try:
             self.parser.parse_header(data)
         except ParsingError as e:
@@ -433,6 +433,28 @@ def test_parse_header_multiple_values_extra_space(self):
         self.assertIn("FOO", self.parser.headers)
         self.assertEqual(self.parser.headers["FOO"], "abrowser/0.001 (C O M M E N T)")
 
+    def test_parse_header_invalid_backtrack_bad(self):
+        from waitress.parser import ParsingError
+
+        data = b"GET /foobar HTTP/1.1\r\nfoo: bar\r\nfoo: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\x10\r\n"
+        try:
+            self.parser.parse_header(data)
+        except ParsingError as e:
+            self.assertIn("Invalid header", e.args[0])
+        else:  # pragma: nocover
+            self.assertTrue(False)
+
+    def test_parse_header_short_values(self):
+        from waitress.parser import ParsingError
+
+        data = b"GET /foobar HTTP/1.1\r\none: 1\r\ntwo: 22\r\n"
+        self.parser.parse_header(data)
+
+        self.assertIn("ONE", self.parser.headers)
+        self.assertIn("TWO", self.parser.headers)
+        self.assertEqual(self.parser.headers["ONE"], "1")
+        self.assertEqual(self.parser.headers["TWO"], "22")
+
 
 class Test_split_uri(unittest.TestCase):
     def _callFUT(self, uri):
