Skip to content

[3.5] closes bpo-38576: Disallow control characters in hostnames in h… #19231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tapakund wants to merge 1 commit into from
Closed

[3.5] closes bpo-38576: Disallow control characters in hostnames in h… #19231

tapakund wants to merge 1 commit into from

Conversation

@tapakund
Copy link

@tapakund tapakund commented Mar 30, 2020
edited by bedevere-bot
Loading

…ttp.client.

Add host validation for control characters for more
CVE-2019-18348 protection.
(cherry picked from commit 83fc701)

Co-authored-by: Ashwin Ramaswami [email protected]

Signed-off-by: Tapas Kundu [email protected]

https://bugs.python.org/issue38576

@tapakund tapakund mentioned this pull request Mar 31, 2020
Merged
@tapakund
[3.5] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler
7f61d27 
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka <[email protected]>

Signed-off-by: Tapas Kundu <[email protected]>
@tapakund
Copy link
Author

tapakund commented Apr 2, 2020

Will raise a fresh PR

@tapakund tapakund closed this Apr 2, 2020
@tapakund tapakund mentioned this pull request Apr 2, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@epicfaace epicfaace epicfaace approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

awaiting core review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tapakund @epicfaace @the-knights-who-say-ni @bedevere-bot