Revision - ea9e240 - bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler [...]

Staging
v0.5.1

Revision ea9e240aa02372440be8024acb110371f69c9d41 authored by Miss Islington (bot) on 02 April 2020, 10:15:55 UTC, committed by GitHub on 02 April 2020, 10:15:55 UTC

bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19296)

The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Victor Stinner <vstinner@python.org>

(cherry picked from commit 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)

1 parent 40fff1f

Files
Changes

Permalinks

File	Mode	Size
Grammar	-rw-r--r--	9.6 KB
Tokens	-rw-r--r--	1.5 KB

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...