bpo-46756: Fix authorization check in urllib.request (GH-31353)

Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI "example.org/foobar" was allowed if the user was authorized for URI "example.org/foo".
author: Serhiy Storchaka <storchaka@gmail.com> 2022-02-25 11:31:03 (GMT)
committer: GitHub <noreply@github.com> 2022-02-25 11:31:03 (GMT)
commit: e2e72567a1c94c548868f6ee5329363e6036057a (patch)
tree: 4fda0ff786291269065939cc0693ae670276dd30 /Misc
parent: 53ecf9e08d35801807daf74492c090a325f995b7 (diff)
download: cpython-e2e72567a1c94c548868f6ee5329363e6036057a.zip
cpython-e2e72567a1c94c548868f6ee5329363e6036057a.tar.gz
cpython-e2e72567a1c94c548868f6ee5329363e6036057a.tar.bz2
1 files changed, 5 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Library/2022-02-15-11-57-53.bpo-46756.AigSPi.rst b/Misc/NEWS.d/next/Library/2022-02-15-11-57-53.bpo-46756.AigSPi.rst
new file mode 100644
index 0000000..1660640
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-02-15-11-57-53.bpo-46756.AigSPi.rst
@@ -0,0 +1,5 @@
+Fix a bug in :meth:`urllib.request.HTTPPasswordMgr.find_user_password` and
+:meth:`urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated` which
+allowed to bypass authorization. For example, access to URI
+``example.org/foobar`` was allowed if the user was authorized for URI
+``example.org/foo``.
author	Serhiy Storchaka <storchaka@gmail.com>	2022-02-25 11:31:03 (GMT)
committer	GitHub <noreply@github.com>	2022-02-25 11:31:03 (GMT)
commit	e2e72567a1c94c548868f6ee5329363e6036057a (patch)
tree	4fda0ff786291269065939cc0693ae670276dd30 /Misc
parent	53ecf9e08d35801807daf74492c090a325f995b7 (diff)
download	cpython-e2e72567a1c94c548868f6ee5329363e6036057a.zip cpython-e2e72567a1c94c548868f6ee5329363e6036057a.tar.gz cpython-e2e72567a1c94c548868f6ee5329363e6036057a.tar.bz2