diff options
author | Victor Stinner <vstinner@python.org> | 2020-04-03 03:15:56 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-04-02 21:15:56 -0400 |
commit | 69cdeeb93e0830004a495ed854022425b93b3f3e (patch) | |
tree | 7d7febe9471509c5f32930060ff38e8bebdaef1c /Misc/NEWS.d/next | |
parent | bpo-40156: Copy Codecov configuration from master (GH-19306) (diff) | |
download | cpython-69cdeeb93e0830004a495ed854022425b93b3f3e.tar.gz cpython-69cdeeb93e0830004a495ed854022425b93b3f3e.tar.bz2 cpython-69cdeeb93e0830004a495ed854022425b93b3f3e.zip |
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19304)
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.
AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.
Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
Diffstat (limited to 'Misc/NEWS.d/next')
-rw-r--r-- | Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst | 3 | ||||
-rw-r--r-- | Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 5 |
2 files changed, 8 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst new file mode 100644 index 00000000000..be80ce79d91 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst @@ -0,0 +1,3 @@ +:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request` +now parses all WWW-Authenticate HTTP headers and accepts multiple challenges +per header: use the realm of the first Basic challenge. diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst new file mode 100644 index 00000000000..9f2800581ca --- /dev/null +++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst @@ -0,0 +1,5 @@ +CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the +:mod:`urllib.request` module uses an inefficient regular expression which can +be exploited by an attacker to cause a denial of service. Fix the regex to +prevent the catastrophic backtracking. Vulnerability reported by Ben Caller +and Matt Schwager. |