Headline
CVE-2023-28859: AsyncIO Race Condition Fix by chayim · Pull Request #2641 · redis/redis-py
redis-py through 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.
@chayim I think this only fixed the pipeline, while the race condition still exists in the Redis class:
return await conn.retry.call_with_retry(
I can still reproduce #2624 using the latest redis-py 4.5.3.
Keep in mind that you need slow enough Redis connection to reproduce this, otherwise the cancellation does not happen simply because the entire RESP exchange with Redis happens before there is a chance to cancel the task.
Also, are you sure that shielding from cancellation is the right approach? For example, this means that there would be no way to cancel a blocking BLPOP.
I found the same problem. Just install the Redis service locally and run the following code and it will definitely reproduce:
import asyncio from redis.asyncio import Redis
async def main(): async with Redis(single_connection_client=True) as r:
await r.set('foo', 'foo')
await r.set('bar', 'bar')
t \= asyncio.create\_task(r.get('foo'))
await asyncio.sleep(0) \# <--- must 0
t.cancel()
try:
await t
print('try again, we did not cancel the task in time')
except asyncio.CancelledError as e:
print('managed to cancel the task, connection is left open with unread response')
print('bar:', await r.get('bar'))
print('ping:', await r.ping())
print('foo:', await r.get('foo'))
if __name__ == '__main__’: asyncio.run(main())
Related news
redis-py through 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.