◐ Shell
reader mode source ↗
Skip to content

[3.5] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284)#19305

Merged
larryhastings merged 2 commits into
python:3.5from
vstinner:urllib_basic_auth_regex35
Jun 20, 2020
Merged

[3.5] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284)#19305
larryhastings merged 2 commits into
python:3.5from
vstinner:urllib_basic_auth_regex35

Conversation

@vstinner

@vstinner vstinner commented Apr 2, 2020
edited by bedevere-bot
Loading

Copy link
Copy Markdown
Member

The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka storchaka@gmail.com
(cherry picked from commit 0b297d4)

https://bugs.python.org/issue39503

@vstinner

vstinner commented Apr 2, 2020

Copy link
Copy Markdown
Member Author

For the backport, I replaced f-string with str.format() in tests.

@vstinner @serhiy-storchaka
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284)
e213d74 
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 0b297d4)
@vstinner

vstinner commented Apr 3, 2020

Copy link
Copy Markdown
Member Author

PR rebased on top of commit ed07522 (remove "Codecov patch" job from the CI).

@vstinner

vstinner commented Apr 3, 2020

Copy link
Copy Markdown
Member Author

cc @larryhastings: the CI is now green.

@vstinner

vstinner commented Apr 6, 2020

Copy link
Copy Markdown
Member Author

@larryhastings: This change is backward incompatible. If a HTTP header contains two Basic challenges, now the first one is used, whereas previously the last one was chosen. IMO the new behavior is more correct than the old one, but I prefer to warn you ;-)

@vstinner vstinner mentioned this pull request Apr 30, 2020
Closed
@vstinner

vstinner commented May 15, 2020

Copy link
Copy Markdown
Member Author

Ping @larryhastings: Would you mind to merge this backport to 3.5 of a security fix?

@bedevere-bot

bedevere-bot commented Jun 12, 2020

Copy link
Copy Markdown

When you're done making the requested changes, leave the comment: I have made the requested changes; please review again.

@larryhastings larryhastings dismissed their stale review June 20, 2020 06:10

I was mistaken, and no changes are needed.

@larryhastings larryhastings merged commit 37fe316 into python:3.5 Jun 20, 2020
@bedevere-bot

bedevere-bot commented Jun 20, 2020

Copy link
Copy Markdown

@larryhastings: Please replace # with GH- in the commit message next time. Thanks!

@vstinner vstinner deleted the urllib_basic_auth_regex35 branch January 19, 2021 21:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@larryhastings larryhastings

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vstinner @bedevere-bot @larryhastings @the-knights-who-say-ni