fix quadratic-complexity parsing in email.message._parseparam

picnixz · picnixz · commit 6786f734b23f · 2025-06-28T14:15:18.000+02:00
diff --git a/Lib/email/message.py b/Lib/email/message.py
@@ -74,19 +74,23 @@ def _parseparam(s):
     # RDM This might be a Header, so for now stringify it.
     s = ';' + str(s)
     plist = []
-    while s[:1] == ';':
-        s = s[1:]
-        end = s.find(';')
-        while end > 0 and (s.count('"', 0, end) - s.count('\\"', 0, end)) % 2:
+    start = 0
+    while s.find(';', start) == start:
+        start += 1
+        end = s.find(';', start)
+        while end > 0 and (
+            s.count('"', start, end) - s.count('\\"', start, end)
+        ) % 2:
             end = s.find(';', end + 1)
         if end < 0:
             end = len(s)
-        f = s[:end]
-        if '=' in f:
-            i = f.index('=')
-            f = f[:i].strip().lower() + '=' + f[i+1:].strip()
+        i = s.find('=', start, end)
+        if i == -1:
+            f = s[start:end]
+        else:
+            f = s[start:i].rstrip().lower() + '=' + s[i+1:end].lstrip()
         plist.append(f.strip())
-        s = s[end:]
+        start = end
     return plist
 
 
diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
@@ -481,6 +481,17 @@ def test_get_param_with_quotes(self):
             "Content-Type: foo; bar*0=\"baz\\\"foobar\"; bar*1=\"\\\"baz\"")
         self.assertEqual(msg.get_param('bar'), 'baz"foobar"baz')
 
+    def test_get_param_linear_complexity(self):
+        # Ensure that email.message._parseparam() is fast.
+        # See https://github.com/python/cpython/issues/136063.
+        N = 100_000
+        res = email.message._parseparam(';' * N)
+        self.assertEqual(res, [''] * N)
+        res = email.message._parseparam('foo=bar;' * N)
+        self.assertEqual(res, ['foo=bar'] * N)
+        res = email.message._parseparam(' FOO = bar ;' * N)
+        self.assertEqual(res, ['foo=bar'] * N)
+
     def test_field_containment(self):
         msg = email.message_from_string('Header: exists')
         self.assertIn('header', msg)
diff --git a/Misc/NEWS.d/next/Security/2025-06-28-13-23-53.gh-issue-136063.aGk0Jv.rst b/Misc/NEWS.d/next/Security/2025-06-28-13-23-53.gh-issue-136063.aGk0Jv.rst
@@ -0,0 +1,2 @@
+:mod:`email.message`: ensure linear complexity for legacy HTTP parameters
+parsing. Patch by Bénédikt Tran.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+:mod:`email.message`: ensure linear complexity for legacy HTTP parameters
	`2`	`+parsing. Patch by Bénédikt Tran.`