Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.5] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) #19305

Merged
merged 2 commits into from
Jun 20, 2020
Merged

[3.5] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) #19305

merged 2 commits into from
Jun 20, 2020

Commits on Apr 3, 2020

  1. bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) 

    The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 0b297d4)
    @vstinner
    vstinner committed Apr 3, 2020
    Configuration menu
    Copy the full SHA
    e213d74 View commit details
    Browse the repository at this point in the history

Commits on Jun 20, 2020

  1. Merge branch '3.5' into urllib_basic_auth_regex35

    @larryhastings
    larryhastings authored Jun 20, 2020
    Configuration menu
    Copy the full SHA
    edee475 View commit details
    Browse the repository at this point in the history