Skip to content

gh-136073: Fix expandvars() in Tools/freeze/checkextensions.py #136093

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
serhiy-storchaka wants to merge 3 commits into
base: main
Choose a base branch
from
Open

gh-136073: Fix expandvars() in Tools/freeze/checkextensions.py #136093

serhiy-storchaka wants to merge 3 commits into from

Conversation

@serhiy-storchaka
Copy link
Member

@serhiy-storchaka serhiy-storchaka commented Jun 29, 2025
edited by bedevere-app bot
Loading

  • Fix potential infinite recursion and/or memory consumption.
  • Fix a bug when reference can cross boundaries of substitutions, e.g. expandvars('$a)', {'a': '$(b', 'b': 'c'}).
  • Fix potential quadratic complexity.

@serhiy-storchaka
pythongh-136073: Fix expandvars() in Tools/freeze/checkextensions.py
82fcefa 
* Fix potential infinite recursion and/or memory consumption.
* Fix a bug when reference can cross boundaries of substitutions, e.g.
  expandvars('$a)', {'a': '$(b', 'b': 'c'}).
* Fix potential quadratic complexity.
@serhiy-storchaka serhiy-storchaka added skip news needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Jun 29, 2025
@bedevere-app bedevere-app bot mentioned this pull request Jun 29, 2025
Open
@kexinoh
Copy link

kexinoh commented Dec 22, 2025

I just realized that the newly discovered code still has some issues, such as when constructing the following example as input:

def generate_bomb_vars(depth):
    vars_dict = {'v0': 'X'}
    for i in range(1, depth + 1):
        vars_dict[f'v{i}'] = f'$(v{i-1})$(v{i-1})'
    target_str = f'$(v{depth})'
    return target_str, vars_dict

@serhiy-storchaka
Copy link
Member Author

serhiy-storchaka commented Dec 22, 2025

The new version is optimized, it returns the result much faster for depth=20 and depth=30. But note that for depth=30 the result takes 1 GiB, and for depth=60 it requires the amount of memory larger than the mainstream computers support. The code will produce the result as fast as it can, but it cannot do anything if the result cannot fit in a memory.

This is similar to a billion laughs attack. The only way to treat it is to impose an artificial application specific limit on the result size. If this was a code facing an external world, it would be an issue. But this is an internal function in an internal tool. It is only used with data generated by other parts of the tool.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ericsnowcurrently ericsnowcurrently Awaiting requested review from ericsnowcurrently ericsnowcurrently is a code owner

Assignees

No one assigned

Labels

awaiting core review needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes skip news

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@serhiy-storchaka @kexinoh