diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2022-03-02 13:50:32 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-03-02 13:50:32 (GMT) |
| commit | 1c9701a3de0566c085e03dddc14a8508aaae349e (patch) | |
| tree | 5c193ab56d3e54be17b494088101df6bb99da02e /Misc/NEWS.d/next | |
| parent | eb6c840a2414dc057ffcfbb5ad68d6253c8dd57c (diff) | |
| download | cpython-1c9701a3de0566c085e03dddc14a8508aaae349e.zip cpython-1c9701a3de0566c085e03dddc14a8508aaae349e.tar.gz cpython-1c9701a3de0566c085e03dddc14a8508aaae349e.tar.bz2 | |
bpo-46756: Fix authorization check in urllib.request (GH-31353) (GH-31572)
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and
urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which
allowed to bypass authorization. For example, access to URI "example.org/foobar"
was allowed if the user was authorized for URI "example.org/foo".
(cherry picked from commit e2e72567a1c94c548868f6ee5329363e6036057a)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Diffstat (limited to 'Misc/NEWS.d/next')
| -rw-r--r-- | Misc/NEWS.d/next/Library/2022-02-15-11-57-53.bpo-46756.AigSPi.rst | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Library/2022-02-15-11-57-53.bpo-46756.AigSPi.rst b/Misc/NEWS.d/next/Library/2022-02-15-11-57-53.bpo-46756.AigSPi.rst new file mode 100644 index 0000000..1660640 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2022-02-15-11-57-53.bpo-46756.AigSPi.rst @@ -0,0 +1,5 @@ +Fix a bug in :meth:`urllib.request.HTTPPasswordMgr.find_user_password` and +:meth:`urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated` which +allowed to bypass authorization. For example, access to URI +``example.org/foobar`` was allowed if the user was authorized for URI +``example.org/foo``. |