diff options
| author | Victor Stinner <vstinner@python.org> | 2020-04-02 00:52:20 (GMT) | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-04-02 00:52:20 (GMT) | 
| commit | 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 (patch) | |
| tree | 7f39cf8cddaf63245f29e784ee570586d902afed /Python/compile.c | |
| parent | d57cf557366584539f400db523b555296487e8f5 (diff) | |
| download | cpython-0b297d4ff1c0e4480ad33acae793fbaf4bf015b4.zip cpython-0b297d4ff1c0e4480ad33acae793fbaf4bf015b4.tar.gz cpython-0b297d4ff1c0e4480ad33acae793fbaf4bf015b4.tar.bz2 | |
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284)
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.
AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.
Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
Diffstat (limited to 'Python/compile.c')
0 files changed, 0 insertions, 0 deletions
