python3.12/00490-cve-2026-15308.patch
Lukáš Zachar 6bd902e139 Security fix for CVE-2026-15308
Resolves: RHEL-193776
2026-07-13 11:42:09 +02:00

115 lines
4.7 KiB
Diff

From effae3f6f868409068cc0b7ab16fe8e4251352be Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Sat, 4 Jul 2026 20:40:22 +0300
Subject: [PATCH] gh-153030: Fix quadratic complexity in incremental parsing in
HTMLParser (GH-153031)
When an unterminated construct (e.g. a tag or comment) spanned many
feed() calls, rescanning the growing buffer and concatenating new data
onto it were both quadratic. New data is now accumulated in a list and
only joined and parsed once enough has piled up.
(cherry picked from commit bcf98ddbc40ec9b3ee87da0124a5660b19b7e606)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
Lib/html/parser.py | 32 +++++++++++++++++--
Lib/test/test_htmlparser.py | 20 ++++++++++++
...-07-04-17-00-00.gh-issue-153030.RovkP6.rst | 3 ++
3 files changed, 53 insertions(+), 2 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2026-07-04-17-00-00.gh-issue-153030.RovkP6.rst
diff --git a/Lib/html/parser.py b/Lib/html/parser.py
index bfab3e64cd54027..c5d2340b712cd6c 100644
--- a/Lib/html/parser.py
+++ b/Lib/html/parser.py
@@ -138,6 +138,9 @@ def reset(self):
self.cdata_elem = None
self._support_cdata = True
self._escapable = True
+ self._pending = []
+ self._pending_len = 0
+ self._parse_threshold = 1
super().reset()
def feed(self, data):
@@ -146,11 +149,36 @@ def feed(self, data):
Call this as often as you want, with as little or as much text
as you want (may include '\n').
"""
- self.rawdata = self.rawdata + data
- self.goahead(0)
+ # Accumulate new data in a list and only join and parse it once
+ # enough has piled up. Rescanning an unparsed buffer (e.g. an
+ # unterminated tag) and concatenating onto it on every call would
+ # both be quadratic in the input size.
+ self._pending_len += len(data)
+ if self._pending_len < self._parse_threshold:
+ self._pending.append(data)
+ else:
+ if not self._pending:
+ self.rawdata += data
+ else:
+ self._pending.append(data)
+ self.rawdata += ''.join(self._pending)
+ self._pending.clear()
+ self._pending_len = 0
+ n = len(self.rawdata)
+ self.goahead(0)
+ if len(self.rawdata) < n:
+ # Some data was parsed; resume on the next call.
+ self._parse_threshold = 1
+ else:
+ # Nothing was parsed; wait until the buffer doubles.
+ self._parse_threshold = len(self.rawdata)
def close(self):
"""Handle any buffered data."""
+ if self._pending:
+ self.rawdata += ''.join(self._pending)
+ self._pending.clear()
+ self._pending_len = 0
self.goahead(1)
__starttag_text = None
diff --git a/Lib/test/test_htmlparser.py b/Lib/test/test_htmlparser.py
index 303c0baa87b026b..e6d92a7ec5166b7 100644
--- a/Lib/test/test_htmlparser.py
+++ b/Lib/test/test_htmlparser.py
@@ -930,6 +930,26 @@ def check(source):
check("<![CDATA[" * 9 * n)
check("<!doctype" * 35 * n)
+ @support.requires_resource('cpu')
+ def test_incremental_no_quadratic_complexity(self):
+ # An unterminated construct fed in many small chunks used to take
+ # quadratic time, both to rescan and to concatenate the buffer.
+ # Now it takes a fraction of a second.
+ def check(prefix, chunk, suffix):
+ parser = html.parser.HTMLParser()
+ parser.feed(prefix)
+ for _ in range(200_000):
+ parser.feed(chunk)
+ parser.feed(suffix)
+ parser.close()
+ chunk = "a" * 64
+ check("<!--", chunk, "-->") # comment
+ check("<?", chunk, ">") # processing instruction
+ check("<!doctype ", chunk, ">") # doctype
+ check("<![CDATA[", chunk, "]]>") # CDATA section
+ check("<a href='", chunk, "'>") # start tag
+ check("<script>", chunk, "</script>") # RAWTEXT element
+
class AttributesTestCase(TestCaseBase):
diff --git a/Misc/NEWS.d/next/Security/2026-07-04-17-00-00.gh-issue-153030.RovkP6.rst b/Misc/NEWS.d/next/Security/2026-07-04-17-00-00.gh-issue-153030.RovkP6.rst
new file mode 100644
index 000000000000000..d1d60593f4ba7d2
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-07-04-17-00-00.gh-issue-153030.RovkP6.rst
@@ -0,0 +1,3 @@
+Fixed quadratic complexity in incremental parsing of long unterminated
+constructs (such as tags or comments) in :class:`html.parser.HTMLParser`,
+which could be exploited for a denial of service.