Skip to content

[3.6] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) #19304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 3, 2020
Merged

[3.6] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) #19304

merged 1 commit into from
Apr 3, 2020

Conversation

vstinner
Copy link
Member

@vstinner vstinner commented Apr 2, 2020
edited by bedevere-bot
Loading

The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka [email protected]
(cherry picked from commit 0b297d4)

https://bugs.python.org/issue39503

@vstinner vstinner mentioned this pull request Apr 2, 2020
Closed
@vstinner
Copy link
Member Author

vstinner commented Apr 2, 2020

@ned-deily: Would you mind to merge this security fix?

@vstinner
Copy link
Member Author

vstinner commented Apr 2, 2020

codecov/patch (marked as failed)

I don't think that this job is supposed to run: I created https://bugs.python.org/issue40156 and #19306 to disable this job.

@vstinner vstinner mentioned this pull request Apr 2, 2020
Merged
@vstinner
Copy link
Member Author

vstinner commented Apr 2, 2020

@ned-deily: so if you cannot merge this PR because of CodeCov, you can use PR #19306.

@vstinner @serhiy-storchaka
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284)
0f10ef0 
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka <[email protected]>
(cherry picked from commit 0b297d4)
@vstinner
Copy link
Member Author

vstinner commented Apr 3, 2020

PR rebased on top of commit ebeabb5 (disable Codecov CI).

@ned-deily ned-deily merged commit 69cdeeb into python:3.6 Apr 3, 2020
@vstinner vstinner deleted the urllib_basic_auth_regex36 branch January 19, 2021 21:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vstinner @ned-deily @the-knights-who-say-ni @bedevere-bot