]> git.ipfire.org Git - thirdparty/Python/cpython.git/commit
projects / thirdparty / Python / cpython.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9a988b8) | patch
bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391)
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Wed, 7 Apr 2021 11:45:05 +0000 (04:45 -0700)
committerGitHub <noreply@github.com>
Wed, 7 Apr 2021 11:45:05 +0000 (04:45 -0700)
commite7654b6046090914a8323931ed759a94a5f85d60
tree9d0c8ab8c565b2536b0fc05bb66d31aaffcd1158tree | snapshot
parent9a988b8cd8344808a03c9a2ba0c9ba2188240eaecommit | diff
bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391)

Fix Regular Expression Denial of Service (ReDoS) vulnerability in
urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
has quadratic worst-case complexity and it allows cause a denial of
service when identifying crafted invalid RFCs. This ReDoS issue is on
the client side and needs remote attackers to control the HTTP server.
(cherry picked from commit 7215d1ae25525c92b026166f9d5cac85fb1defe1)

Co-authored-by: Yeting Li <liyt@ios.ac.cn>
Lib/urllib/request.py diff | blob | blame | history
Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst [new file with mode: 0644] blob
Mirror of https://github.com/python/cpython.git