Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler #18284

Merged
merged 2 commits into from Apr 2, 2020
Merged

bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler #18284

merged 2 commits into from Apr 2, 2020

Commits on Mar 25, 2020

  1. bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler 

    The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
    @vstinner @serhiy-storchaka
    vstinner and serhiy-storchaka committed Mar 25, 2020
    Copy the full SHA
    3652a84 View commit details
    Browse the repository at this point in the history

Commits on Mar 30, 2020

  1. Address Serhiy's review

    @vstinner
    vstinner committed Mar 30, 2020
    Copy the full SHA
    666772a View commit details
    Browse the repository at this point in the history