

Critical Django security updates released (0day, exploit in the wild) - ubernostrum
http://www.djangoproject.com/weblog/2009/oct/09/security/

======
zain
Less than four hours between the disclosure and the fix. Not bad.

------
callahad
Here's the changeset that fixes it:
<http://code.djangoproject.com/changeset/11603>

~~~
mseebach
Could someone as an intellectual exercise explain how this exploit works? I
understand the idea of how some strings can throw a regex FSM off its game,
but I can't see how it would happen here.

~~~
gojomo
A simple rule of thumb is: nested repetitions may take 'forever' to fail.

If you've got Java applet support in your browser, here's an animated
example...

[http://regex.powertoy.org/?pat=m/((a{0,5}){0,5})*[e]/g&a...](http://regex.powertoy.org/?pat=m/\(\(a{0,5}\){0,5}\)*\[e\]/g&anim=1&rep=m/\(\(a{0,5}\){0,5}\)*\[e\]/g&in=aaaaaaaaaaaa)

...based on the "WARNING: Particularly complicated..." example in the Perlre
docs:

<http://perldoc.perl.org/perlre.html>

You can see that Django's problematic domain-validation regexes were similar
to the perlre example, but even worse -- a one-or-more of unbounded length,
inside a 0-or-more of unbounded length, inside a 1-or-more of unbounded
length:

<http://code.djangoproject.com/changeset/11603#file0>

------
alexkon
This reminds me of a presentation on regular expression DoS attacks:

[http://www.checkmarx.com/Upload/Documents/PDF/Checkmarx_OWAS...](http://www.checkmarx.com/Upload/Documents/PDF/Checkmarx_OWASP_IL_2009_ReDoS.pdf)
[pdf]

Quick view:
[https://docs.google.com/gview?url=http%3A%2F%2Fwww.checkmarx...](https://docs.google.com/gview?url=http%3A%2F%2Fwww.checkmarx.com%2FUpload%2FDocuments%2FPDF%2FCheckmarx_OWASP_IL_2009_ReDoS.pdf)

P. S. Corrected wording.

------
jrockway
_As mentioned above, this issue was initially disclosed publicly on a high-
traffic mailing list. We'd like to remind our users that the correct channel
for security reports is to send them to security@djangoproject.com. This
allows the development team time to develop a solution and coordinate
disclosure, both to the Django community as a whole and to the numerous third
parties who maintain and distribute packaged versions of Django.

When debating whether a particular issue impacts security, we ask that you err
on the side of caution and always contact security@djangoproject.com; we will
be more than happy to work with you in analyzing and assessing potential
security issues._

That way, the people that missed the issue in the first place are the only
ones that will have the opportunity to fix it. While you wait, the crackers
have already compromised your site.

~~~
jnoller
Public disclosure without giving a vendor or project a chance to fix the issue
before you release the information publicly screws _everyone_ running it who
may or may not have the skills needed to fix the issue.

In this case, it was a mistake. Luckily, it's _only_ a DOS - there's worse
things that could happen.

~~~
jacquesm
Only a DOS is bad for those high profile sites that are listed on your 'look
who is using product X' pages.

Everybody else will probably squeak by without harm.

------
megamark16
So...svn update?

~~~
tvon
Obviously if you're running off of any SVN other than the 1.1 tag, yes.

