[Python-checkins] bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391)

vstinner webhook-mailer at python.org
Wed Apr 7 07:27:51 EDT 2021

• Previous message (by thread): [Python-checkins] bpo-43244: Remove Yield macro from pycore_ast.h (GH-25243)
• Next message (by thread): [Python-checkins] bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb1defe1
commit: 7215d1ae25525c92b026166f9d5cac85fb1defe1
branch: master
author: Yeting Li <liyt at ios.ac.cn>
committer: vstinner <vstinner at python.org>
date: 2021年04月07日T13:27:41+02:00
summary:
bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391)
Fix Regular Expression Denial of Service (ReDoS) vulnerability in
urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
has quadratic worst-case complexity and it allows cause a denial of
service when identifying crafted invalid RFCs. This ReDoS issue is on
the client side and needs remote attackers to control the HTTP server.
files:
A Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
M Lib/urllib/request.py
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index e5febe61f556d..8363905f20fa3 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -945,7 +945,7 @@ class AbstractBasicAuthHandler:
 # (single quotes are a violation of the RFC, but appear in the wild)
 rx = re.compile('(?:^|,)' # start of the string or ','
 '[ \t]*' # optional whitespaces
- '([^ \t]+)' # scheme like "Basic"
+ '([^ \t,]+)' # scheme like "Basic"
 '[ \t]+' # mandatory whitespaces
 # realm=xxx
 # realm='xxx'
diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
new file mode 100644
index 0000000000000..1c9f727e965fb
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
@@ -0,0 +1 @@
+Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

---

• Previous message (by thread): [Python-checkins] bpo-43244: Remove Yield macro from pycore_ast.h (GH-25243)
• Next message (by thread): [Python-checkins] bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-checkins mailing list