File CVE-2025-6075-expandvars-perf-degrad.patch of Package python.42333
From 8b8e68d3dc95f454f58fdd8aac10848facb1491d Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Fri, 31 Oct 2025 15:49:51 +0200
Subject: [PATCH 1/2] [3.9] gh-136065: Fix quadratic complexity in
os.path.expandvars() (GH-134952) (cherry picked from commit
f029e8db626ddc6e3a3beea4eff511a71aaceb5c)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Ćukasz Langa <lukasz@langa.pl>
---
Lib/ntpath.py | 106 +++-------
Lib/posixpath.py | 53 ++---
Lib/test/test_genericpath.py | 18 +
Lib/test/test_ntpath.py | 21 +
Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst | 1
5 files changed, 99 insertions(+), 100 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
Index: Python-2.7.18/Lib/ntpath.py
===================================================================
--- Python-2.7.18.orig/Lib/ntpath.py 2020-04-19 23:13:39.000000000 +0200
+++ Python-2.7.18/Lib/ntpath.py 2026-01-16 23:14:26.801426693 +0100
@@ -324,88 +324,58 @@
# XXX With COMMAND.COM you can use any characters in a variable name,
# XXX except '^|<>='.
+_varpattern = r"'[^']*'?|%(%|[^%]*%?)|\$(\$|[-\w]+|\{[^}]*\}?)"
+_varsubb = None
+
+
def expandvars(path):
"""Expand shell variables of the forms $var, ${var} and %var%.
Unknown variables are left unchanged."""
+ global _varsubb
if '$' not in path and '%' not in path:
return path
- import string
- varchars = string.ascii_letters + string.digits + '_-'
+ if not _varsubb:
+ import re
+ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub
+ sub = _varsubb
if isinstance(path, _unicode):
encoding = sys.getfilesystemencoding()
+
def getenv(var):
return os.environ[var.encode(encoding)].decode(encoding)
else:
def getenv(var):
return os.environ[var]
- res = ''
- index = 0
- pathlen = len(path)
- while index < pathlen:
- c = path[index]
- if c == '\'': # no expansion within single quotes
- path = path[index + 1:]
- pathlen = len(path)
- try:
- index = path.index('\'')
- res = res + '\'' + path[:index + 1]
- except ValueError:
- res = res + c + path
- index = pathlen - 1
- elif c == '%': # variable or '%'
- if path[index + 1:index + 2] == '%':
- res = res + c
- index = index + 1
- else:
- path = path[index+1:]
- pathlen = len(path)
- try:
- index = path.index('%')
- except ValueError:
- res = res + '%' + path
- index = pathlen - 1
- else:
- var = path[:index]
- try:
- res = res + getenv(var)
- except KeyError:
- res = res + '%' + var + '%'
- elif c == '$': # variable or '$$'
- if path[index + 1:index + 2] == '$':
- res = res + c
- index = index + 1
- elif path[index + 1:index + 2] == '{':
- path = path[index+2:]
- pathlen = len(path)
- try:
- index = path.index('}')
- var = path[:index]
- try:
- res = res + getenv(var)
- except KeyError:
- res = res + '${' + var + '}'
- except ValueError:
- res = res + '${' + path
- index = pathlen - 1
- else:
- var = ''
- index = index + 1
- c = path[index:index + 1]
- while c != '' and c in varchars:
- var = var + c
- index = index + 1
- c = path[index:index + 1]
- try:
- res = res + getenv(var)
- except KeyError:
- res = res + '$' + var
- if c != '':
- index = index - 1
+
+ def repl(m):
+ lastindex = m.lastindex
+ if lastindex is None:
+ return m.group(0)
+ name = m.group(lastindex)
+ if lastindex == 1:
+ if name == '%':
+ return name
+ if not name.endswith('%'):
+ return m.group(0)
+ name = name[:-1]
else:
- res = res + c
- index = index + 1
- return res
+ if name == '$':
+ return name
+ if name.startswith('{'):
+ if not name.endswith('}'):
+ return m.group(0)
+ name = name[1:-1]
+
+ try:
+ if os.environ is None:
+ return os.fsencode(os.environ[os.fsdecode(name)])
+ else:
+ return os.environ[name]
+ except KeyError:
+ return m.group(0)
+
+ return sub(repl, path)
# Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B.
Index: Python-2.7.18/Lib/posixpath.py
===================================================================
--- Python-2.7.18.orig/Lib/posixpath.py 2020-04-19 23:13:39.000000000 +0200
+++ Python-2.7.18/Lib/posixpath.py 2026-01-16 23:41:20.703177325 +0100
@@ -284,49 +284,50 @@
# This expands the forms $variable and ${variable} only.
# Non-existent variables are left unchanged.
-_varprog = None
-_uvarprog = None
+_varpattern = r'\$(\w+|\{[^}]*\}?)'
+_varsub = None
+_uvarsub = None
def expandvars(path):
"""Expand shell variables of form $var and ${var}. Unknown variables
are left unchanged."""
- global _varprog, _uvarprog
+ global _varsub, _uvarsub
if '$' not in path:
return path
if isinstance(path, _unicode):
- if not _uvarprog:
+ if not _uvarsub:
import re
- _uvarprog = re.compile(ur'\$(\w+|\{[^}]*\})', re.UNICODE)
- varprog = _uvarprog
+ _uvarsub = re.compile(ur'\$(\w+|\{[^}]*\}?)', re.UNICODE).sub
+ sub = _uvarsub
+ start = u'{'
+ end = u'}'
encoding = sys.getfilesystemencoding()
else:
- if not _varprog:
+ if not _varsub:
import re
- _varprog = re.compile(r'\$(\w+|\{[^}]*\})')
- varprog = _varprog
+ _varsub = re.compile(_varpattern).sub
+ sub = _varsub
+ start = '{'
+ end = '}'
encoding = None
- i = 0
- while True:
- m = varprog.search(path, i)
- if not m:
- break
- i, j = m.span(0)
+
+ def repl(m):
name = m.group(1)
- if name.startswith('{') and name.endswith('}'):
+ if name.startswith(start):
+ if not name.endswith(end):
+ return m.group(0)
name = name[1:-1]
if encoding:
name = name.encode(encoding)
- if name in os.environ:
- tail = path[j:]
+ try:
value = os.environ[name]
- if encoding:
- value = value.decode(encoding)
- path = path[:i] + value
- i = len(path)
- path += tail
- else:
- i = j
- return path
+ except KeyError:
+ return m.group(0)
+ if encoding:
+ value = value.decode(encoding)
+ return value
+
+ return sub(repl, path)
# Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B.
Index: Python-2.7.18/Lib/test/test_genericpath.py
===================================================================
--- Python-2.7.18.orig/Lib/test/test_genericpath.py 2020-04-19 23:13:39.000000000 +0200
+++ Python-2.7.18/Lib/test/test_genericpath.py 2026-01-16 23:19:37.827280369 +0100
@@ -4,6 +4,7 @@
import unittest
from test import test_support
+from test.support import EnvironmentVarGuard
import os
import genericpath
import sys
@@ -188,7 +189,7 @@
if self.pathmodule.__name__ == 'macpath':
self.skipTest('macpath.expandvars is a stub')
expandvars = self.pathmodule.expandvars
- with test_support.EnvironmentVarGuard() as env:
+ with EnvironmentVarGuard() as env:
env.clear()
env["foo"] = "bar"
env["{foo"] = "baz1"
@@ -213,7 +214,7 @@
def check(value, expected):
self.assertEqual(expandvars(value), expected)
encoding = sys.getfilesystemencoding()
- with test_support.EnvironmentVarGuard() as env:
+ with EnvironmentVarGuard() as env:
env.clear()
unonascii = test_support.FS_NONASCII
snonascii = unonascii.encode(encoding)
@@ -233,6 +234,19 @@
check(u'$bar%s bar' % unonascii, u'$bar%s bar' % unonascii)
check(u'$spam}bar', u'%s}bar' % unonascii)
+ @support.requires_resource('cpu')
+ def test_expandvars_large(self):
+ expandvars = self.pathmodule.expandvars
+ with EnvironmentVarGuard() as env:
+ env.clear()
+ env["A"] = "B"
+ n = 100000
+ self.assertEqual(expandvars('$A'*n), 'B'*n)
+ self.assertEqual(expandvars('${A}'*n), 'B'*n)
+ self.assertEqual(expandvars('$A!'*n), 'B!'*n)
+ self.assertEqual(expandvars('${A}A'*n), 'BA'*n)
+ self.assertEqual(expandvars('${'*10*n), '${'*10*n)
+
def test_abspath(self):
self.assertIn("foo", self.pathmodule.abspath("foo"))
Index: Python-2.7.18/Lib/test/test_ntpath.py
===================================================================
--- Python-2.7.18.orig/Lib/test/test_ntpath.py 2020-04-19 23:13:39.000000000 +0200
+++ Python-2.7.18/Lib/test/test_ntpath.py 2026-01-16 23:21:57.012532750 +0100
@@ -2,7 +2,7 @@
import ntpath
import os
import sys
-from test.test_support import TestFailed
+from test.test_support import TestFailed, EnvironmentVarGuard
from test import test_support, test_genericpath
import unittest
@@ -183,7 +183,7 @@
tester("ntpath.normpath('\\\\?\\D:/XY\\Z')", r'\\?\D:/XY\Z')
def test_expandvars(self):
- with test_support.EnvironmentVarGuard() as env:
+ with EnvironmentVarGuard() as env:
env.clear()
env["foo"] = "bar"
env["{foo"] = "baz1"
@@ -215,7 +215,7 @@
tester0("ntpath.expandvars(%r)" % value, expected)
tester0("ntpath.expandvars(%r)" % value.decode(encoding),
expected.decode(encoding))
- with test_support.EnvironmentVarGuard() as env:
+ with EnvironmentVarGuard() as env:
env.clear()
unonascii = test_support.FS_NONASCII
snonascii = unonascii.encode(encoding)
@@ -232,10 +232,23 @@
check('%spam%bar', '%sbar' % snonascii)
check('%{}%bar'.format(snonascii), 'ham%sbar' % snonascii)
+ @support.requires_resource('cpu')
+ def test_expandvars_large(self):
+ expandvars = ntpath.expandvars
+ with EnvironmentVarGuard() as env:
+ env.clear()
+ env["A"] = "B"
+ n = 100000
+ self.assertEqual(expandvars('%A%'*n), 'B'*n)
+ self.assertEqual(expandvars('%A%A'*n), 'BA'*n)
+ self.assertEqual(expandvars("''"*n + '%%'), "''"*n + '%')
+ self.assertEqual(expandvars("%%"*n), "%"*n)
+ self.assertEqual(expandvars("$$"*n), "$"*n)
+
def test_expanduser(self):
tester('ntpath.expanduser("test")', 'test')
- with test_support.EnvironmentVarGuard() as env:
+ with EnvironmentVarGuard() as env:
env.clear()
tester('ntpath.expanduser("~test")', '~test')
Index: Python-2.7.18/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-2.7.18/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst 2026-01-16 23:06:34.109907043 +0100
@@ -0,0 +1 @@
+Fix quadratic complexity in :func:`os.path.expandvars`.
