git.ipfire.org Git - thirdparty/Python/cpython.git/commit

author	Victor Stinner <vstinner@python.org>
	Fri, 3 Apr 2020 01:15:56 +0000 (03:15 +0200)
committer	GitHub <noreply@github.com>
	Fri, 3 Apr 2020 01:15:56 +0000 (21:15 -0400)
commit	69cdeeb93e0830004a495ed854022425b93b3f3e
tree	7d7febe9471509c5f32930060ff38e8bebdaef1c	tree \| snapshot
parent	ebeabb5b728f009480ced3ca4738c20fa073b507	commit \| diff

bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19304)

The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)

Lib/test/test_urllib2.py		diff \| blob \| blame \| history
Lib/urllib/request.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst	[new file with mode: 0644]	blob
Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst	[new file with mode: 0644]	blob