[3.6] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler by tapakund · Pull Request #19299 · python/cpython

The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.

AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.

Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>

Co-authored-by: Victor Stinner vstinner@python.org

Signed-off-by: Tapas Kundu <tkundu@vmware.com>