Security fix for CVE-2026-15308
Resolves: RHEL-193776
This commit is contained in:
parent
b285cff015
commit
6bd902e139
114
00490-cve-2026-15308.patch
Normal file
114
00490-cve-2026-15308.patch
Normal file
@ -0,0 +1,114 @@
|
||||
From effae3f6f868409068cc0b7ab16fe8e4251352be Mon Sep 17 00:00:00 2001
|
||||
From: Serhiy Storchaka <storchaka@gmail.com>
|
||||
Date: Sat, 4 Jul 2026 20:40:22 +0300
|
||||
Subject: [PATCH] gh-153030: Fix quadratic complexity in incremental parsing in
|
||||
HTMLParser (GH-153031)
|
||||
|
||||
When an unterminated construct (e.g. a tag or comment) spanned many
|
||||
feed() calls, rescanning the growing buffer and concatenating new data
|
||||
onto it were both quadratic. New data is now accumulated in a list and
|
||||
only joined and parsed once enough has piled up.
|
||||
(cherry picked from commit bcf98ddbc40ec9b3ee87da0124a5660b19b7e606)
|
||||
|
||||
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
||||
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
||||
---
|
||||
Lib/html/parser.py | 32 +++++++++++++++++--
|
||||
Lib/test/test_htmlparser.py | 20 ++++++++++++
|
||||
...-07-04-17-00-00.gh-issue-153030.RovkP6.rst | 3 ++
|
||||
3 files changed, 53 insertions(+), 2 deletions(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2026-07-04-17-00-00.gh-issue-153030.RovkP6.rst
|
||||
|
||||
diff --git a/Lib/html/parser.py b/Lib/html/parser.py
|
||||
index bfab3e64cd54027..c5d2340b712cd6c 100644
|
||||
--- a/Lib/html/parser.py
|
||||
+++ b/Lib/html/parser.py
|
||||
@@ -138,6 +138,9 @@ def reset(self):
|
||||
self.cdata_elem = None
|
||||
self._support_cdata = True
|
||||
self._escapable = True
|
||||
+ self._pending = []
|
||||
+ self._pending_len = 0
|
||||
+ self._parse_threshold = 1
|
||||
super().reset()
|
||||
|
||||
def feed(self, data):
|
||||
@@ -146,11 +149,36 @@ def feed(self, data):
|
||||
Call this as often as you want, with as little or as much text
|
||||
as you want (may include '\n').
|
||||
"""
|
||||
- self.rawdata = self.rawdata + data
|
||||
- self.goahead(0)
|
||||
+ # Accumulate new data in a list and only join and parse it once
|
||||
+ # enough has piled up. Rescanning an unparsed buffer (e.g. an
|
||||
+ # unterminated tag) and concatenating onto it on every call would
|
||||
+ # both be quadratic in the input size.
|
||||
+ self._pending_len += len(data)
|
||||
+ if self._pending_len < self._parse_threshold:
|
||||
+ self._pending.append(data)
|
||||
+ else:
|
||||
+ if not self._pending:
|
||||
+ self.rawdata += data
|
||||
+ else:
|
||||
+ self._pending.append(data)
|
||||
+ self.rawdata += ''.join(self._pending)
|
||||
+ self._pending.clear()
|
||||
+ self._pending_len = 0
|
||||
+ n = len(self.rawdata)
|
||||
+ self.goahead(0)
|
||||
+ if len(self.rawdata) < n:
|
||||
+ # Some data was parsed; resume on the next call.
|
||||
+ self._parse_threshold = 1
|
||||
+ else:
|
||||
+ # Nothing was parsed; wait until the buffer doubles.
|
||||
+ self._parse_threshold = len(self.rawdata)
|
||||
|
||||
def close(self):
|
||||
"""Handle any buffered data."""
|
||||
+ if self._pending:
|
||||
+ self.rawdata += ''.join(self._pending)
|
||||
+ self._pending.clear()
|
||||
+ self._pending_len = 0
|
||||
self.goahead(1)
|
||||
|
||||
__starttag_text = None
|
||||
diff --git a/Lib/test/test_htmlparser.py b/Lib/test/test_htmlparser.py
|
||||
index 303c0baa87b026b..e6d92a7ec5166b7 100644
|
||||
--- a/Lib/test/test_htmlparser.py
|
||||
+++ b/Lib/test/test_htmlparser.py
|
||||
@@ -930,6 +930,26 @@ def check(source):
|
||||
check("<![CDATA[" * 9 * n)
|
||||
check("<!doctype" * 35 * n)
|
||||
|
||||
+ @support.requires_resource('cpu')
|
||||
+ def test_incremental_no_quadratic_complexity(self):
|
||||
+ # An unterminated construct fed in many small chunks used to take
|
||||
+ # quadratic time, both to rescan and to concatenate the buffer.
|
||||
+ # Now it takes a fraction of a second.
|
||||
+ def check(prefix, chunk, suffix):
|
||||
+ parser = html.parser.HTMLParser()
|
||||
+ parser.feed(prefix)
|
||||
+ for _ in range(200_000):
|
||||
+ parser.feed(chunk)
|
||||
+ parser.feed(suffix)
|
||||
+ parser.close()
|
||||
+ chunk = "a" * 64
|
||||
+ check("<!--", chunk, "-->") # comment
|
||||
+ check("<?", chunk, ">") # processing instruction
|
||||
+ check("<!doctype ", chunk, ">") # doctype
|
||||
+ check("<![CDATA[", chunk, "]]>") # CDATA section
|
||||
+ check("<a href='", chunk, "'>") # start tag
|
||||
+ check("<script>", chunk, "</script>") # RAWTEXT element
|
||||
+
|
||||
|
||||
class AttributesTestCase(TestCaseBase):
|
||||
|
||||
diff --git a/Misc/NEWS.d/next/Security/2026-07-04-17-00-00.gh-issue-153030.RovkP6.rst b/Misc/NEWS.d/next/Security/2026-07-04-17-00-00.gh-issue-153030.RovkP6.rst
|
||||
new file mode 100644
|
||||
index 000000000000000..d1d60593f4ba7d2
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Security/2026-07-04-17-00-00.gh-issue-153030.RovkP6.rst
|
||||
@@ -0,0 +1,3 @@
|
||||
+Fixed quadratic complexity in incremental parsing of long unterminated
|
||||
+constructs (such as tags or comments) in :class:`html.parser.HTMLParser`,
|
||||
+which could be exploited for a denial of service.
|
||||
@ -20,7 +20,7 @@ URL: https://www.python.org/
|
||||
#global prerel ...
|
||||
%global upstream_version %{general_version}%{?prerel}
|
||||
Version: %{general_version}%{?prerel:~%{prerel}}
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: Python-2.0.1
|
||||
|
||||
|
||||
@ -450,6 +450,17 @@ Patch484: 00484-cve-2026-3644.patch
|
||||
# Stack overflow parsing XML with deeply nested DTD content models
|
||||
Patch485: 00485-cve-2026-4224.patch
|
||||
|
||||
# 00490 #
|
||||
# CVE-2026-15308
|
||||
#
|
||||
# gh-153030: Fix quadratic complexity in incremental parsing in HTMLParser (GH-153031) (GH-153038)
|
||||
#
|
||||
# When an unterminated construct (e.g. a tag or comment) spanned many
|
||||
# feed() calls, rescanning the growing buffer and concatenating new data
|
||||
# onto it were both quadratic. New data is now accumulated in a list and
|
||||
# only joined and parsed once enough has piled up.
|
||||
Patch490: 00490-cve-2026-15308.patch
|
||||
|
||||
# (New patches go here ^^^)
|
||||
#
|
||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||
@ -1940,6 +1951,10 @@ fi
|
||||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Fri Jul 10 2026 Lukáš Zachar <lzachar@redhat.com> - 3.12.13-3
|
||||
- Security fix for CVE-2026-15308
|
||||
Resolves: RHEL-193776
|
||||
|
||||
* Thu Apr 16 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.12.13-2
|
||||
- Security fixes for CVE-2026-1502, CVE-2026-4786, CVE-2026-6100, CVE-2026-2297, CVE-2026-3644, CVE-2026-4224
|
||||
Resolves: RHEL-168130, RHEL-167892
|
||||
|
||||
Loading…
Reference in New Issue
Block a user