Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[3.5] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) #19305

Merged
merged 2 commits into from
Jun 20, 2020
Merged

[3.5] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) #19305

merged 2 commits into from
Jun 20, 2020

Commits on Apr 3, 2020

  1. bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284)

    The AbstractBasicAuthHandler class of the urllib.request module uses
    an inefficient regular expression which can be exploited by an
    attacker to cause a denial of service. Fix the regex to prevent the
    catastrophic backtracking. Vulnerability reported by Ben Caller
    and Matt Schwager.
    
    AbstractBasicAuthHandler of urllib.request now parses all
    WWW-Authenticate HTTP headers and accepts multiple challenges per
    header: use the realm of the first Basic challenge.
    
    Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
    (cherry picked from commit 0b297d4)
    vstinner committed Apr 3, 2020
    Configuration menu
    Copy the full SHA
    e213d74 View commit details
    Browse the repository at this point in the history

Commits on Jun 20, 2020

  1. Configuration menu
    Copy the full SHA
    edee475 View commit details
    Browse the repository at this point in the history