gh-123067: Denial of Service Vulnerability in `http.cookies._unquote()` by ch4n3-yoon · Pull Request #123066

gh-123067: Denial of Service Vulnerability in `http.cookies._unquote()` by ch4n3-yoon · Pull Request #123066 · python/cpython

Summary

Refactor and improve the _unquote() method in http.cookies to address the performance issues identified in CVE-2024-7592, enhancing the handling of escape sequences to prevent potential DoS vulnerabilities.

Changes

Updated regex patterns to optimize matching and substitution.
Removed inefficient loop constructs, replacing them with a streamlined regex substitution process.

Context

This update comes after the Django team acknowledged the potential for a DoS vulnerability within their use of the http.cookies module. The vulnerability has been formally reserved CVE-2024-7592.

Please review these changes and provide your feedback.

Issue: CVE-2024-7592: Denial of Service Vulnerability in http.cookies._unquote() #123067