cpython.git - https://github.com/python/cpython.git

diff options

author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>	2020-04-02 10:15:55 (GMT)
committer	GitHub <noreply@github.com>	2020-04-02 10:15:55 (GMT)
commit	ea9e240aa02372440be8024acb110371f69c9d41 (patch)
tree	6ba2ec16ced20fe888cc12ece8e8f0a1b4d66a5d /Python/pythonrun.c
parent	40fff1ff04aa5bc2cf1b965d573b87c48e4da8cc (diff)
download	cpython-ea9e240aa02372440be8024acb110371f69c9d41.zip cpython-ea9e240aa02372440be8024acb110371f69c9d41.tar.gz cpython-ea9e240aa02372440be8024acb110371f69c9d41.tar.bz2

bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19296)

The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. AbstractBasicAuthHandler of urllib.request now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge. Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org> (cherry picked from commit 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)

Diffstat (limited to 'Python/pythonrun.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: