git.ipfire.org Git - thirdparty/Python/cpython.git/commit

author	Victor Stinner <vstinner@python.org>
	Thu, 2 Apr 2020 00:52:20 +0000 (02:52 +0200)
committer	GitHub <noreply@github.com>
	Thu, 2 Apr 2020 00:52:20 +0000 (02:52 +0200)
commit	0b297d4ff1c0e4480ad33acae793fbaf4bf015b4
tree	7f39cf8cddaf63245f29e784ee570586d902afed	tree \| snapshot
parent	d57cf557366584539f400db523b555296487e8f5	commit \| diff

bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284)

The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>

Lib/test/test_urllib2.py		diff \| blob \| blame \| history
Lib/urllib/request.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst	[new file with mode: 0644]	blob
Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst	[new file with mode: 0644]	blob