Skip to content

[3.14] gh-153030: Fix quadratic complexity in incremental parsing in HTMLParser (GH-153031)#153039

Merged
serhiy-storchaka merged 1 commit into
python:3.14from
miss-islington:backport-bcf98dd-3.14
Jul 4, 2026
Merged

[3.14] gh-153030: Fix quadratic complexity in incremental parsing in HTMLParser (GH-153031)#153039
serhiy-storchaka merged 1 commit into
python:3.14from
miss-islington:backport-bcf98dd-3.14

Conversation

@miss-islington

@miss-islington miss-islington commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

When an unterminated construct (e.g. a tag or comment) spanned many
feed() calls, rescanning the growing buffer and concatenating new data
onto it were both quadratic. New data is now accumulated in a list and
only joined and parsed once enough has piled up.
(cherry picked from commit bcf98dd)

Co-authored-by: Serhiy Storchaka storchaka@gmail.com
Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com

…TMLParser (pythonGH-153031)

When an unterminated construct (e.g. a tag or comment) spanned many
feed() calls, rescanning the growing buffer and concatenating new data
onto it were both quadratic.  New data is now accumulated in a list and
only joined and parsed once enough has piled up.
(cherry picked from commit bcf98dd)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@serhiy-storchaka serhiy-storchaka enabled auto-merge (squash) July 4, 2026 17:41
@serhiy-storchaka serhiy-storchaka merged commit 07efb08 into python:3.14 Jul 4, 2026
49 of 52 checks passed
@miss-islington miss-islington deleted the backport-bcf98dd-3.14 branch July 4, 2026 18:11
hrnciar pushed a commit to fedora-python/cpython that referenced this pull request Jul 10, 2026
…ng in HTMLParser (pythonGH-153031) (pythonGH-153039)

When an unterminated construct (e.g. a tag or comment) spanned many
feed() calls, rescanning the growing buffer and concatenating new data
onto it were both quadratic.  New data is now accumulated in a list and
only joined and parsed once enough has piled up.
(cherry picked from commit bcf98dd)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
hrnciar pushed a commit to fedora-python/cpython that referenced this pull request Jul 10, 2026
…ing in HTMLParser (pythonGH-153031) (pythonGH-153039)

When an unterminated construct (e.g. a tag or comment) spanned many
feed() calls, rescanning the growing buffer and concatenating new data
onto it were both quadratic.  New data is now accumulated in a list and
only joined and parsed once enough has piled up.
(cherry picked from commit bcf98dd)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
hrnciar pushed a commit to fedora-python/cpython that referenced this pull request Jul 10, 2026
pythongh-153030: Fix quadratic complexity in incremental parsing in HTMLParser (pythonGH-153031) (pythonGH-153039)

When an unterminated construct (e.g. a tag or comment) spanned many
feed() calls, rescanning the growing buffer and concatenating new data
onto it were both quadratic.  New data is now accumulated in a list and
only joined and parsed once enough has piled up.
(cherry picked from commit bcf98dd)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
LearningCircuit added a commit to LearningCircuit/local-deep-research that referenced this pull request Jul 11, 2026
…oS) (#5046)

Alert #8034: Grype flags the binary-cataloged /usr/local/bin/python3.14
(3.14.6) for CVE-2026-15308, a High (PSF CVSS4 8.7 / NVD 7.5) quadratic
CPU-exhaustion DoS in html.parser incremental parsing (PSF-2026-33).

Same shape as CVE-2026-4360 (#5044): the fix is merged upstream
(python/cpython#153039, 2026-07-04) but the first fixed release is
3.14.7, scheduled 2026-08-04 (PEP 745), and the NVD-CPE binary match
carries fix-state unknown, which the not-fixed auto-rule deliberately
leaves visible - so an explicit entry is needed.

Not reachable in this image: the vulnerable pattern requires an
unterminated construct spanning many incremental HTMLParser.feed()
calls; every html.parser consumer here is single-shot BeautifulSoup
feed(markup) (own code + langchain BS4HTMLParser), and lxml parses via
its bundled libxml2, not html.parser. Impact is availability-only.

Remove when the base image ships Python 3.14.7+.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants