git.ipfire.org Git - thirdparty/Python/cpython.git/commit

bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19296)

The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
(cherry picked from commit 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)

author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Thu, 2 Apr 2020 10:15:55 +0000 (03:15 -0700)
committer	GitHub <noreply@github.com>
	Thu, 2 Apr 2020 10:15:55 +0000 (12:15 +0200)
commit	ea9e240aa02372440be8024acb110371f69c9d41
tree	6ba2ec16ced20fe888cc12ece8e8f0a1b4d66a5d	tree \| snapshot
parent	40fff1ff04aa5bc2cf1b965d573b87c48e4da8cc	commit \| diff

Lib/test/test_urllib2.py		diff \| blob \| blame \| history
Lib/urllib/request.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst	[new file with mode: 0644]	blob
Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst	[new file with mode: 0644]	blob