python
Potential Quadratic Complexity Vulnerabilities in `path` Modules
Bug Description: A series of simple quadratic complexity vulnerabilities has been identified. After confirmation by CPython's security team, since these DOS vulnerabilities pose a low threat and are relatively tedious to exploit, we can directly initiate requests in issues to seek assistance from the community for fixes.
Vulnerability Locations (All Fixed):
- https://github.com/python/cpython/blob/f49a07b531543dd8a42d90f5b1c89c0312fbf806/Lib/posixpath.py#L290
- https://github.com/python/cpython/blob/cb8a72b301f47e76d93a7fe5b259e9a5758792e1/Lib/ntpath.py#L403 Repair Status:
- Vulnerabilities have been fixed in #134952 by @serhiy-storchaka and @Wulian233.
Common Information:
- CPython Version: main branch
- Operating System: Linux
- Credits: Finder is kexinoh (Xiangfan Wu) from QI-ANXIN Technology Research Institute.
Linked PRs
- gh-134952
checkextensions is different issue. Even if there is some similarity, there are many important differences (for example, the code contains other bug and is even prone to infinite loop).
yes,i know it.
But it seems that it is not part of path, belongs to part of the tool. This means that input does not come from the user.
---Original---
From: "Serhiy @.>
Date: Sat, Jun 28, 2025 18:20 PM
To: @.>;
Cc: @.@.>;
Subject: Re: [python/cpython] Potential Quadratic Complexity Vulnerabilitiesin path Modules (Issue #136065)
serhiy-storchaka left a comment (python/cpython#136065)
checkextensions is different issue. Even if there is some similarity, there are many important differences (for example, the code contains other bug and is even prone to infinite loop).
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>
I submitted a new issue. @serhiy-storchaka https://github.com/python/cpython/issues/136073
Given this has been implemented and backported can the issue be closed? (cc: @ambv, @serhiy-storchaka )
