8000 00366-CVE-2021-3733.patch · fedora-python/cpython@78a8416 · GitHub
[go: up one dir, main page]
Skip to content

Commit 78a8416

Browse files
frenzymadnessyetingli
frenzymadness
and
yetingli
committed
00366-CVE-2021-3733.patch
00366 # CVE-2021-3733: Fix ReDoS in urllib AbstractBasicAuthHandler Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib2.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. Backported from Python 3 together with another backward-compatible improvement of the regex from fix for CVE-2020-8492. Co-authored-by: Yeting Li <liyt@ios.ac.cn>
1 parent 0c82cf4 commit 78a8416

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

Lib/urllib2.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -858,7 +858,7 @@ class AbstractBasicAuthHandler:
858858

859859
# allow for double- and single-quoted realm values
860860
# (single quotes are a violation of the RFC, but appear in the wild)
861-
rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
861+
rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+'
862862
'realm=(["\']?)([^"\']*)\\2', re.I)
863863

864864
# XXX could pre-emptively send auth info already accepted (RFC 2617,
31F7

0 commit comments

Comments
 (0)
0