Skip to content

Instantly share code, notes, and snippets.

@davidfraser

davidfraser/README.md

Created February 17, 2020 15:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save davidfraser/e6802b6ce18e33775dbfb06cb969c477 to your computer and use it in GitHub Desktop.
Save davidfraser/e6802b6ce18e33775dbfb06cb969c477 to your computer and use it in GitHub Desktop.
Download ZIP
Speed tests for CVE-2020-8492
Raw
README.md

= CVE-2020-8492 Speed Tests

CVE-2020-8492 describes a DOS opportunity for malicious servers responding to requests from the Python built-in urllib library.

A malicious server can send up to 65,509 additional commas in the WWW-Authenticate header, which triggers an O(2**n) evaluation of a regular expression.

This folder contains a sample malicious server (in Python 3), and sample vulnerable clients (in Python 2 and 3)

It also contains scripts to test the speed of various alternative regular expressions or parsing methods. These stop once a threshold time has been reached, so you can still do meaningful timing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment