8000 Fix inefficient and insufficient regex for WWW-Authenticate · python/cpython@f79379c · GitHub
[go: up one dir, main page]
Skip to content

Commit f79379c

Browse files
author
David Fraser
committed
Fix inefficient and insufficient regex for WWW-Authenticate
The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Note that the original regex was roughly O(2**n) The search for commas and spaces is unnecessary (and insufficient to ensure that this starts a new scheme). Replace with a simpler search for an initial scheme, since we already check that the text starts with 'basic'. Vulnerability reported by Matt Schwager.
1 parent 239db90 commit f79379c

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

Lib/urllib/request.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -937,7 +937,7 @@ class AbstractBasicAuthHandler:
937937

938938
# allow for double- and single-quoted realm values
939939
# (single quotes are a violation of the RFC, but appear in the wild)
940-
rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
940+
rx = re.compile('^([^ \t]+)[ \t]+'
941941
'realm=(["\']?)([^"\']*)\\2', re.I)
942942

943943
# XXX could pre-emptively send auth info already accepted (RFC 2617,

0 commit comments

Comments
 (0)
0