diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2022-02-25 11:57:30 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-02-25 11:57:30 (GMT) |
| commit | 2b7e04d61274af03426975fe824ed83eca35b035 (patch) | |
| tree | 8497c04c372d92b643d77ea0158f3c3eb65abd47 /Misc | |
| parent | 632a8121d4d577541c3fddffc986bcb8d8d545b6 (diff) | |
| download | cpython-2b7e04d61274af03426975fe824ed83eca35b035.zip cpython-2b7e04d61274af03426975fe824ed83eca35b035.tar.gz cpython-2b7e04d61274af03426975fe824ed83eca35b035.tar.bz2 | |
bpo-46756: Fix authorization check in urllib.request (GH-31353)
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and
urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which
allowed to bypass authorization. For example, access to URI "example.org/foobar"
was allowed if the user was authorized for URI "example.org/foo".
(cherry picked from commit e2e72567a1c94c548868f6ee5329363e6036057a)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Diffstat (limited to 'Misc')
| -rw-r--r-- | Misc/NEWS.d/next/Library/2022-02-15-11-57-53.bpo-46756.AigSPi.rst | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Library/2022-02-15-11-57-53.bpo-46756.AigSPi.rst b/Misc/NEWS.d/next/Library/2022-02-15-11-57-53.bpo-46756.AigSPi.rst new file mode 100644 index 0000000..1660640 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2022-02-15-11-57-53.bpo-46756.AigSPi.rst @@ -0,0 +1,5 @@ +Fix a bug in :meth:`urllib.request.HTTPPasswordMgr.find_user_password` and +:meth:`urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated` which +allowed to bypass authorization. For example, access to URI +``example.org/foobar`` was allowed if the user was authorized for URI +``example.org/foo``. |