Repetitive string concatentation (in a loop) in File.__iter__
I thought the code below could generate DoS, so I made a bug report
However, File._iter__() was not recognized as a bug because only one line was buffered and only worked for chunks returned from File.chunks, but it was determined that verification code for input should be added, so it was created as an open ticket.
The code pattern is similar to CVE-2023-36053, which is already released, so I think it needs to be modified.
code: django/core/files/base.py:89
def __iter__(self):
buffer_ = None
for chunk in self.chunks():
for line in chunk.splitlines(True):
if buffer_:
line = buffer_ + line # < Code!
How should I patch it?
Change History
(9)
| Description: |
modified (diff)
|
| Component: |
Uncategorized → File uploads/storage
|
| Description: |
modified (diff)
|
| Keywords: |
concatenation added; DoS removed
|
| Summary: |
File.__iter__() Quadratic-time DoS → Repetitive string concatentation (in a loop) in File.__iter__
|
| Triage Stage: |
Unreviewed → Accepted
|
| Type: |
Bug → Cleanup/optimization
|
| Has patch: |
set
|
| Owner: |
set to Varun Kasyap Pentamaraju
|
| Status: |
new → assigned
|
| Triage Stage: |
Accepted → Ready for checkin
|
| Version: |
→ dev
|
| Resolution: |
→ fixed
|
| Status: |
assigned → closed
|
Thanks for the follow-up.
You can just collect and join the strings instead of concatenating them during a loop.
In general, we won't audit the entire project for this pattern, but the Security Team's rationale for directing the reporter to Trac was that we did have a PoC of a degradation in hand, even if it was outside the bounds of what we consider a security issue.
If you'd like to submit a PR, please set yourself in the owner field. Thanks!