redos of nfs_loc_pattern
Bug #2047686 reported by
lujiefsi
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
New
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
What is redos : https:/
poc
```
import re
import datetime
nfs_loc_pattern = \
def split(x):
string=
starttime = datetime.
matched = re.match(
endtime = datetime.
print ("string length = " + str(x) + " time cost=" + str((endtime - starttime).seconds) + " seconds")
split(3)
split(30)
split(300)
split(3000)
```
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.
It's not clear to me that an attacker would have the ability to pass a nefarious NFS path to the Cinder NetApp driver, but hopefully the Cinder security reviewers can confirm whether this is possible for anyone other than service administrators to exploit.