Overview

File CVE-2025-6075-expandvars-perf-degrad.patch of Package python.41898

From 8b8e68d3dc95f454f58fdd8aac10848facb1491d Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Fri, 31 Oct 2025 15:49:51 +0200
Subject: [PATCH 1/2] [3.9] gh-136065: Fix quadratic complexity in
 os.path.expandvars() (GH-134952) (cherry picked from commit
 f029e8db626ddc6e3a3beea4eff511a71aaceb5c)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Ɓukasz Langa <lukasz@langa.pl>
---
 Lib/ntpath.py                                                            |  109 +++-------
 Lib/posixpath.py                                                         |   39 +--
 Lib/test/test_genericpath.py                                             |   13 +
 Lib/test/test_ntpath.py                                                  |   13 +
 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst |    1 
 5 files changed, 90 insertions(+), 85 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst

Index: Python-2.7.18/Lib/ntpath.py
===================================================================
--- Python-2.7.18.orig/Lib/ntpath.py	2020-04-19 23:13:39.000000000 +0200
+++ Python-2.7.18/Lib/ntpath.py	2025-11-28 16:34:38.168313364 +0100
@@ -324,6 +324,10 @@
 # XXX With COMMAND.COM you can use any characters in a variable name,
 # XXX except '^|<>='.
 
+_varpattern = r"'[^']*'?|%(%|[^%]*%?)|\$(\$|[-\w]+|\{[^}]*\}?)"
+_varsub = None
+_varsubb = None
+
 def expandvars(path):
     """Expand shell variables of the forms $var, ${var} and %var%.
 
@@ -331,7 +335,16 @@
     if '$' not in path and '%' not in path:
         return path
     import string
-    varchars = string.ascii_letters + string.digits + '_-'
+    if not _varsubb:
+        import re
+        _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
+    sub = _varsubb
+    percent = b'%'
+    brace = b'{'
+    rbrace = b'}'
+    dollar = b'$'
+    environ = getattr(os, 'environb', None)
+
     if isinstance(path, _unicode):
         encoding = sys.getfilesystemencoding()
         def getenv(var):
@@ -339,73 +352,35 @@
     else:
         def getenv(var):
             return os.environ[var]
-    res = ''
-    index = 0
-    pathlen = len(path)
-    while index < pathlen:
-        c = path[index]
-        if c == '\'':   # no expansion within single quotes
-            path = path[index + 1:]
-            pathlen = len(path)
-            try:
-                index = path.index('\'')
-                res = res + '\'' + path[:index + 1]
-            except ValueError:
-                res = res + c + path
-                index = pathlen - 1
-        elif c == '%':  # variable or '%'
-            if path[index + 1:index + 2] == '%':
-                res = res + c
-                index = index + 1
-            else:
-                path = path[index+1:]
-                pathlen = len(path)
-                try:
-                    index = path.index('%')
-                except ValueError:
-                    res = res + '%' + path
-                    index = pathlen - 1
-                else:
-                    var = path[:index]
-                    try:
-                        res = res + getenv(var)
-                    except KeyError:
-                        res = res + '%' + var + '%'
-        elif c == '$':  # variable or '$$'
-            if path[index + 1:index + 2] == '$':
-                res = res + c
-                index = index + 1
-            elif path[index + 1:index + 2] == '{':
-                path = path[index+2:]
-                pathlen = len(path)
-                try:
-                    index = path.index('}')
-                    var = path[:index]
-                    try:
-                        res = res + getenv(var)
-                    except KeyError:
-                        res = res + '${' + var + '}'
-                except ValueError:
-                    res = res + '${' + path
-                    index = pathlen - 1
-            else:
-                var = ''
-                index = index + 1
-                c = path[index:index + 1]
-                while c != '' and c in varchars:
-                    var = var + c
-                    index = index + 1
-                    c = path[index:index + 1]
-                try:
-                    res = res + getenv(var)
-                except KeyError:
-                    res = res + '$' + var
-                if c != '':
-                    index = index - 1
+
+    def repl(m):
+        lastindex = m.lastindex
+        if lastindex is None:
+            return m.group(0)
+        name = m.group(lastindex)
+        if lastindex == 1:
+            if name == percent:
+                return name
+            if not name.endswith(percent):
+                return m.group(0)
+            name = name[:-1]
         else:
-            res = res + c
-        index = index + 1
-    return res
+            if name == dollar:
+                return name
+            if name.startswith(brace):
+                if not name.endswith(rbrace):
+                    return m.group(0)
+                name = name[1:-1]
+
+        try:
+            if environ is None:
+                return os.fsencode(os.environ[os.fsdecode(name)])
+            else:
+                return environ[name]
+        except KeyError:
+            return m.group(0)
+
+    return sub(repl, path)
 
 
 # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B.
Index: Python-2.7.18/Lib/posixpath.py
===================================================================
--- Python-2.7.18.orig/Lib/posixpath.py	2020-04-19 23:13:39.000000000 +0200
+++ Python-2.7.18/Lib/posixpath.py	2025-11-28 17:02:18.835876821 +0100
@@ -284,35 +284,37 @@
 # This expands the forms $variable and ${variable} only.
 # Non-existent variables are left unchanged.
 
-_varprog = None
-_uvarprog = None
+_varpattern = r'\$(\w+|\{[^}]*\}?)'
+_varsub = None
+_varsubb = None
 
 def expandvars(path):
     """Expand shell variables of form $var and ${var}.  Unknown variables
     are left unchanged."""
-    global _varprog, _uvarprog
+    global _varsub, _varsubb
     if '$' not in path:
         return path
     if isinstance(path, _unicode):
-        if not _uvarprog:
+        if not _varsubb:
             import re
-            _uvarprog = re.compile(ur'\$(\w+|\{[^}]*\})', re.UNICODE)
-        varprog = _uvarprog
+            _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
+        sub = _varsubb
         encoding = sys.getfilesystemencoding()
     else:
-        if not _varprog:
+        if not _varsub:
             import re
-            _varprog = re.compile(r'\$(\w+|\{[^}]*\})')
-        varprog = _varprog
+            _varsub = re.compile(_varpattern, re.ASCII).sub
+        sub = _varsub
         encoding = None
-    i = 0
-    while True:
-        m = varprog.search(path, i)
-        if not m:
-            break
-        i, j = m.span(0)
+    start = '{'
+    end = '}'
+    environ = os.environ
+
+    def repl(m):
         name = m.group(1)
-        if name.startswith('{') and name.endswith('}'):
+        if name.startswith(start):
+            if not name.endswith(end):
+                return m.group(0)
             name = name[1:-1]
         if encoding:
             name = name.encode(encoding)
@@ -325,8 +327,9 @@
             i = len(path)
             path += tail
         else:
-            i = j
-    return path
+            return m.group(0)
+
+    return sub(repl, path)
 
 
 # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B.
Index: Python-2.7.18/Lib/test/test_genericpath.py
===================================================================
--- Python-2.7.18.orig/Lib/test/test_genericpath.py	2020-04-19 23:13:39.000000000 +0200
+++ Python-2.7.18/Lib/test/test_genericpath.py	2025-11-28 16:21:35.651726913 +0100
@@ -233,6 +233,19 @@
             check(u'$bar%s bar' % unonascii, u'$bar%s bar' % unonascii)
             check(u'$spam}bar', u'%s}bar' % unonascii)
 
+    @support.requires_resource('cpu')
+    def test_expandvars_large(self):
+        expandvars = self.pathmodule.expandvars
+        with EnvironmentVarGuard() as env:
+            env.clear()
+            env["A"] = "B"
+            n = 100000
+            self.assertEqual(expandvars('$A'*n), 'B'*n)
+            self.assertEqual(expandvars('${A}'*n), 'B'*n)
+            self.assertEqual(expandvars('$A!'*n), 'B!'*n)
+            self.assertEqual(expandvars('${A}A'*n), 'BA'*n)
+            self.assertEqual(expandvars('${'*10*n), '${'*10*n)
+
     def test_abspath(self):
         self.assertIn("foo", self.pathmodule.abspath("foo"))
 
Index: Python-2.7.18/Lib/test/test_ntpath.py
===================================================================
--- Python-2.7.18.orig/Lib/test/test_ntpath.py	2020-04-19 23:13:39.000000000 +0200
+++ Python-2.7.18/Lib/test/test_ntpath.py	2025-11-28 16:25:10.488811010 +0100
@@ -232,6 +232,19 @@
             check('%spam%bar', '%sbar' % snonascii)
             check('%{}%bar'.format(snonascii), 'ham%sbar' % snonascii)
 
+    @support.requires_resource('cpu')
+    def test_expandvars_large(self):
+        expandvars = ntpath.expandvars
+        with test_support.EnvironmentVarGuard() as env:
+            env.clear()
+            env["A"] = "B"
+            n = 100000
+            self.assertEqual(expandvars('%A%'*n), 'B'*n)
+            self.assertEqual(expandvars('%A%A'*n), 'BA'*n)
+            self.assertEqual(expandvars("''"*n + '%%'), "''"*n + '%')
+            self.assertEqual(expandvars("%%"*n), "%"*n)
+            self.assertEqual(expandvars("$$"*n), "$"*n)
+
     def test_expanduser(self):
         tester('ntpath.expanduser("test")', 'test')
 
Index: Python-2.7.18/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ Python-2.7.18/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst	2025-11-28 16:21:35.652331536 +0100
@@ -0,0 +1 @@
+Fix quadratic complexity in :func:`os.path.expandvars`.
openSUSE Build Service is sponsored by
Places