cpython/Lib/urllib
Miss Islington (bot) ea9e240aa0
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19296)
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Victor Stinner <vstinner@python.org>

(cherry picked from commit 0b297d4ff1)
2020-04-02 12:15:55 +02:00
..
__init__.py
error.py
parse.py Revert "[3.8] bpo-27657: Fix urlparse() with numeric paths (GH-16839)" (GH-18525) 2020-02-16 13:47:21 -08:00
request.py bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19296) 2020-04-02 12:15:55 +02:00
response.py
robotparser.py bpo-35922: Fix RobotFileParser when robots.txt has no relevant crawl delay or request rate (GH-11791) 2019-06-16 00:07:54 -07:00