Matej Cepl
f814036fff
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=276
36 lines
1.6 KiB
Diff
36 lines
1.6 KiB
Diff
From 34e25a97709a05f7c804036dd1e16afda6bdfa33 Mon Sep 17 00:00:00 2001
|
|
From: Victor Stinner <vstinner@python.org>
|
|
Date: Thu, 30 Jan 2020 16:13:03 +0100
|
|
Subject: [PATCH 1/2] bpo-39503: Fix urllib basic auth regex
|
|
|
|
The AbstractBasicAuthHandler class of the urllib.request module uses
|
|
an inefficient regular expression which can be exploited by an
|
|
attacker to cause a denial of service. Fix the regex to prevent the
|
|
catastrophic backtracking.
|
|
|
|
Vulnerability reported by Matt Schwager.
|
|
---
|
|
Lib/urllib2.py | 2 +-
|
|
Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 4 ++++
|
|
2 files changed, 5 insertions(+), 1 deletion(-)
|
|
create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
|
|
|
|
--- /dev/null
|
|
+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
|
|
@@ -0,0 +1,4 @@
|
|
+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
|
|
+:mod:`urllib.request` module uses an inefficient regular expression which can
|
|
+be exploited by an attacker to cause a denial of service. Fix the regex to
|
|
+prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager.
|
|
--- a/Lib/urllib2.py
|
|
+++ b/Lib/urllib2.py
|
|
@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler:
|
|
|
|
# allow for double- and single-quoted realm values
|
|
# (single quotes are a violation of the RFC, but appear in the wild)
|
|
- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
|
|
+ rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+'
|
|
'realm=(["\']?)([^"\']*)\\2', re.I)
|
|
|
|
# XXX could pre-emptively send auth info already accepted (RFC 2617,
|