Matej Cepl
e77cbb0e48
- Renamed patch for assigned CVE:
* bpo43075-fix-ReDoS-in-request.patch -> CVE-2021-3733-fix-ReDoS-in-request.patch
(boo#1189287, CVE-2021-3733)
- Fix python-doc build (bpo#35293):
* sphinx-update-removed-function.patch
- Update documentation formatting for Sphinx 3.0 (bpo#40204).
OBS-URL: https://build.opensuse.org/request/show/913777
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=298
16 lines
927 B
Diff
16 lines
927 B
Diff
--- a/Lib/urllib2.py
|
|
+++ b/Lib/urllib2.py
|
|
@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler:
|
|
|
|
# allow for double- and single-quoted realm values
|
|
# (single quotes are a violation of the RFC, but appear in the wild)
|
|
- rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+'
|
|
+ rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+'
|
|
'realm=(["\']?)([^"\']*)\\2', re.I)
|
|
|
|
# XXX could pre-emptively send auth info already accepted (RFC 2617,
|
|
--- /dev/null
|
|
+++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
|
|
@@ -0,0 +1 @@
|
|
+Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.
|