(May) Multiple Security Vulnerabilities in Brython Library

[kexinoh]

Hello Brython maintainers,
I have identified several security vulnerabilities in the Brython library. These issues arise from the divergence of Brython's Python implementation from the mainline version, leading to some unpatched security risks. Please update the implementation of the standard library to be closer to the mainline version in a timely manner. (If possible, could you issue a security advisory? This would be very helpful to me.)
Affected Areas:
These vulnerabilities exist in multiple parts of the library, including but not limited to:
http/cookies.py

brython/www/src/Lib/http/cookies.py

Lines 187 to 199 in f376823

	_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
	_QuotePatt = re.compile(r"[\\].")
	def _unquote(str):
	# If there aren't any doublequotes,
	# then there can't be any special characters. See RFC 2109.
	if str is None or len(str) < 2:
	return str
	if str[0] != '"' or str[-1] != '"':
	return str
	# We have to assume that we must decode this string.
	# Down to work.

==>GHSA-7pwv-g7hj-39pr
Other core modules that may have similar unpatched issues.
Impact: These vulnerabilities could lead to significant security risks.
Thank you.

[denis-migdal]

Is this a security report generated by ChatGPT ?

You claim this is a "significant security risks" without describing a single exploit.

Brython is executed on the client side, where the server and the user can always execute arbitrary JS code.

The only issue would be if, somehow, the website enabled an attacker to set an arbitrary very long value, and then pushed such values in other users cookies. And the only effect could be at most a denial of service, by preventing users to correctly access the webpage.

And still... the denial is not that much (normally, cookies are limited to 4kB IIRC).

Cookie sizes of 8000+ bytes caused delays of approximately 0.15 seconds per HTTP request.
Cookie sizes of 20000+ bytes resulted in delays of about 1 second per request.
python/cpython#123067

This could be an issue for a server... but not for a client...

@PierreQuentel Here the fix used in CPython (?) : https://github.com/python/cpython/pull/123075/commits

[kexinoh]

My English is not good (a Chinese user), so I use ChatGPT for translation. However, I mainly think that the problem of Brython not being synchronized with the mainline is more serious. Because as far as I know, at least 3 vulnerabilities were discovered in CPython last year? This means that many N-day vulnerabilities can be exploited, posing long-term risks.

[denis-migdal]

Being "synchronized" with the mainline is a lot of work, and Pierre is currently almost the only one maintaining Brython.

Vulnerabilities in CPython aren't necessary vulnerabilities in Brython.
Brython isn't executed on the server-side, and is executed in the browser "context".

[kexinoh]

Perhaps we could explore some automation solutions, at least for the Python standard library. Since these libraries are implemented in Python and are independent of underlying implementations like C or JavaScript, their fixes are reproducible. Half a year ago, Brython seemed to be based on Python 3.10? Directly syncing with the mainline might introduce inconsistencies with the Python API, but we could address this by subscribing to past CPython libraries. The Python team actively maintains security fixes for the last five Python versions. For instance, if Brython is currently on version 3.13, we could update the standard library by subscribing to the 3.13 branch here: https://github.com/python/cpython/tree/3.13. Just a thought—what do you think?

[denis-migdal]

Well, theoretically, it could be possible to have a semi-automated system to fetch some of Python files to update Brython's.

The issue is that some Python files may need some adjustments to properly work with Brython.
And with several commits per days, I do not see how an human could keep up with it. This would need a full-time team.

Moreover, too many, too big, and too frequent updates would cause instabilities.

Maybe Pierre would have a different opinion than mine, but I do not see the point of sacrificing stability and time for potential security fixes that often aren't relevant in a browser context.

[PierreQuentel]

Hi,

Thanks for the report. I have updated http.cookies to the latest version on the CPython site.

I synchronise Brython and CPython at each release (every year) except if someone reports an issue that was fixed in between.