Skip to main content

Browse the archive

Staging
v0.5.1
https://github.com/python/cpython
09 December 2020, 11:06:31 UTC
Revision b57a73694e26e8b2391731b5ee0b1be59437388e authored by Miss Islington (bot) on 02 April 2020, 10:16:17 UTC, committed by GitHub on 02 April 2020, 10:16:17 UTC 
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19297)
 
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Victor Stinner <vstinner@python.org>

(cherry picked from commit 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
1 parent 8e069fc
History
Tip revision: b57a73694e26e8b2391731b5ee0b1be59437388e authored by Miss Islington (bot) on 02 April 2020, 10:16:17 UTC
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19297)
Tip revision: b57a736
File Mode Size
.azure-pipelines
.github
Doc
Grammar
Include
Lib
Mac
Misc
Modules
Objects
PC
PCbuild
Parser
Programs
Python
Tools
m4
.gitattributes -rw-r--r-- 1.6 KB
.gitignore -rw-r--r-- 1.5 KB
.travis.yml -rw-r--r-- 6.1 KB
CODE_OF_CONDUCT.rst -rw-r--r-- 631 bytes
LICENSE -rw-r--r-- 12.5 KB
Makefile.pre.in -rw-r--r-- 62.9 KB
README.rst -rw-r--r-- 9.6 KB
aclocal.m4 -rw-r--r-- 10.7 KB
config.guess -rwxr-xr-x 43.1 KB
config.sub -rwxr-xr-x 35.4 KB
configure -rwxr-xr-x 492.1 KB
configure.ac -rw-r--r-- 164.8 KB
install-sh -rwxr-xr-x 7.0 KB
pyconfig.h.in -rw-r--r-- 42.3 KB
setup.py -rw-r--r-- 101.3 KB

README.rst

back to top