Skip to content

[2.7] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler #19302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tapakund wants to merge 1 commit into from
Closed

[2.7] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler #19302

tapakund wants to merge 1 commit into from

Conversation

@tapakund
Copy link

@tapakund tapakund commented Apr 2, 2020
edited by bedevere-bot
Loading

The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka [email protected]
(cherry picked from commit 0b297d4)

Co-authored-by: Victor Stinner [email protected]

Signed-off-by: Tapas Kundu [email protected]

https://bugs.python.org/issue39503

@tapakund
[2.7] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler
1b2e773 
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka <[email protected]>
(cherry picked from commit 0b297d4)

Co-authored-by: Victor Stinner <[email protected]>

Signed-off-by: Tapas Kundu <[email protected]>
@tapakund
Copy link
Author

tapakund commented Apr 2, 2020

Need to rework, will raise fresh.

@tapakund tapakund closed this Apr 2, 2020
@vstinner
Copy link
Member

vstinner commented Apr 2, 2020

Python 2.7 no longer accept security fixes: https://devguide.python.org/#status-of-python-branches

@vstinner vstinner reopened this Apr 2, 2020
@vstinner vstinner closed this Apr 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tapakund @vstinner @the-knights-who-say-ni @bedevere-bot