Bug report

Originally reported to the security address on September 9.

('xn--016c'+'a'*5000).encode('utf-8').decode('idna')

The execution time is not linear in relation to the input string size, which can cause slowness with large inputs:

10 chars = 0.016 seconds
100 chars = 0.047 seconds
1000 chars = 2.883 seconds
2500 chars = 17.724 seconds
5000 chars = 1 min 10 seconds

Comment by @tiran:

According to spec https://unicode.org/reports/tr46/ an IDNA label must not be longer than 63 characters. Python's idna module enforces the restriction, but too late.

This may be abused in some cases, for example by passing a crafted host name to asyncio create_connection:

import asyncio

async def main():
    loop = asyncio.get_running_loop()

    await loop.create_connection(
        lambda: [], ('xn--016c'+'a'*5000).encode('utf-8'), 443
    )

asyncio.run(main())

Your environment

• CPython versions tested on: CPython repository 'main' branch checkout, version 3.8.12, version 2.7.18
• Operating system and architecture: Ubuntu Linux x64

• PR: gh-98433: Fix quadratic time idna decoding. #99092

• PR: [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092) #99222

• PR: [3.10] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) #99229

• PR: [3.9] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) #99230

• PR: [3.8] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) #99231

• PR: [3.7] gh-98433: Fix quadratic time idna decoding. (GH-99092) (GH-99222) #99232