]> git.ipfire.org Git - thirdparty/Python/cpython.git/commit
projects / thirdparty / Python / cpython.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f91a0b6) | patch
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (#19305)
authorVictor Stinner <vstinner@python.org>
Sat, 20 Jun 2020 06:26:58 +0000 (08:26 +0200)
committerGitHub <noreply@github.com>
Sat, 20 Jun 2020 06:26:58 +0000 (23:26 -0700)
commit37fe316479e0b6906a74b0c0a5e495c55037fdfd
tree8c28e5c58d863034fdab90f35820290d58822a10tree | snapshot
parentf91a0b6df14d6c5133fe3d5889fad7d84fc0c046commit | diff
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (#19305)

The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.
Lib/test/test_urllib2.py diff | blob | blame | history
Lib/urllib/request.py diff | blob | blame | history
Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst [new file with mode: 0644] blob
Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst [new file with mode: 0644] blob
Mirror of https://github.com/python/cpython.git