Staging
v0.8.1
v0.8.1
https://github.com/python/cpython
Revision 69cdeeb93e0830004a495ed854022425b93b3f3e authored by Victor Stinner on 03 April 2020, 01:15:56 UTC, committed by GitHub on 03 April 2020, 01:15:56 UTC
The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. AbstractBasicAuthHandler of urllib.request now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge. Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com> (cherry picked from commit 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
1 parent ebeabb5
Tip revision: 69cdeeb93e0830004a495ed854022425b93b3f3e authored by Victor Stinner on 03 April 2020, 01:15:56 UTC
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19304)
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19304)
Tip revision: 69cdeeb
| File | Mode | Size |
|---|---|---|
| Python.asdl | -rw-r--r-- | 5.0 KB |
| acceler.c | -rw-r--r-- | 3.3 KB |
| asdl.py | -rw-r--r-- | 12.6 KB |
| asdl_c.py | -rw-r--r-- | 43.7 KB |
| bitset.c | -rw-r--r-- | 1.0 KB |
| firstsets.c | -rw-r--r-- | 2.8 KB |
| grammar.c | -rw-r--r-- | 7.4 KB |
| grammar1.c | -rw-r--r-- | 1.3 KB |
| listnode.c | -rw-r--r-- | 1.2 KB |
| metagrammar.c | -rw-r--r-- | 2.4 KB |
| myreadline.c | -rw-r--r-- | 10.8 KB |
| node.c | -rw-r--r-- | 4.4 KB |
| parser.c | -rw-r--r-- | 11.6 KB |
| parser.h | -rw-r--r-- | 1.0 KB |
| parsetok.c | -rw-r--r-- | 10.5 KB |
| parsetok_pgen.c | -rw-r--r-- | 35 bytes |
| pgen.c | -rw-r--r-- | 17.9 KB |
| pgenmain.c | -rw-r--r-- | 4.0 KB |
| printgrammar.c | -rw-r--r-- | 2.9 KB |
| tokenizer.c | -rw-r--r-- | 54.8 KB |
| tokenizer.h | -rw-r--r-- | 3.8 KB |
| tokenizer_pgen.c | -rw-r--r-- | 36 bytes |
Computing file changes ...
