diff options
| author | Yeting Li <liyt@ios.ac.cn> | 2021-04-07 11:27:41 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-04-07 11:27:41 (GMT) |
| commit | 7215d1ae25525c92b026166f9d5cac85fb1defe1 (patch) | |
| tree | c18d81a4f47c91c52e5cc567765576608cad9d62 /Lib/urllib | |
| parent | d36d6a9c1808e87628ebaa855d4bec80130189f4 (diff) | |
| download | cpython-7215d1ae25525c92b026166f9d5cac85fb1defe1.zip cpython-7215d1ae25525c92b026166f9d5cac85fb1defe1.tar.gz cpython-7215d1ae25525c92b026166f9d5cac85fb1defe1.tar.bz2 | |
bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391)
Fix Regular Expression Denial of Service (ReDoS) vulnerability in
urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
has quadratic worst-case complexity and it allows cause a denial of
service when identifying crafted invalid RFCs. This ReDoS issue is on
the client side and needs remote attackers to control the HTTP server.
Diffstat (limited to 'Lib/urllib')
| -rw-r--r-- | Lib/urllib/request.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py index e5febe6..8363905 100644 --- a/Lib/urllib/request.py +++ b/Lib/urllib/request.py @@ -945,7 +945,7 @@ class AbstractBasicAuthHandler: # (single quotes are a violation of the RFC, but appear in the wild) rx = re.compile('(?:^|,)' # start of the string or ',' '[ \t]*' # optional whitespaces - '([^ \t]+)' # scheme like "Basic" + '([^ \t,]+)' # scheme like "Basic" '[ \t]+' # mandatory whitespaces # realm=xxx # realm='xxx' |