git.ipfire.org Git - thirdparty/Python/cpython.git/commit

bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19297)

The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
(cherry picked from commit 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)

author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Thu, 2 Apr 2020 10:16:17 +0000 (03:16 -0700)
committer	GitHub <noreply@github.com>
	Thu, 2 Apr 2020 10:16:17 +0000 (12:16 +0200)
commit	b57a73694e26e8b2391731b5ee0b1be59437388e
tree	670142d16219f93c55724e00f734ebe1630a91d7	tree \| snapshot
parent	8e069fc2ee19f40ce97e61e880bb409ed415d98c	commit \| diff

Lib/test/test_urllib2.py		diff \| blob \| blame \| history
Lib/urllib/request.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst	[new file with mode: 0644]	blob
Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst	[new file with mode: 0644]	blob