Hi BenThank you. I realize that I misunderstood things. It is the server side that sends this string, not the user on the client side. I'll adjust my analysis accordingly.This means that a malicious server can cause a DoS on client side.Best regards// OlaOn Sun, 2 Feb 2020 at 23:55, Ben Hutchings <ben@decadent.org.uk> wrote:On Fri, 2020-01-31 at 21:18 +0100, Ola Lundqvist wrote:
> Hi fellow LTS development team
>
> I'm not sure how to handle CVE-2020-8492. It is a client side vulnerability
> and what it can cause it CPU load issue (on the client side as I
> understand). I can not really see how it can be exploited in any normal
> client. Sure if the attacker creates new python code it can, but then it
> can do that anyway because an infinite loop is quite easy to do in any
> python code.
I don't know for sure, but I think the test case given in the upstream
issue exercises part of the normal response handling. I think it shows
what happens if a server sends a response with the header field:
www-authenticate: Basic ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, foo realm
Ben.
> So I think it is probably a minor issue, but I would like to check with
> others for an opinion,.
>
> For now I have marked as ignored, but if people have good arguments I will
> change my mind.
>
> Best regards
>
> // Ola
>
--
Ben Hutchings
I haven't lost my mind; it's backed up on tape somewhere.
----- Inguza Technology AB --- MSc in Information Technology ----| http://inguza.com/ Mobile: +46 (0)70-332 1551 |---------------------------------------------------------------