bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

commit: 7215d1ae25525c92b026166f9d5cac85fb1defe1 [log] [tgz]
author: Yeting Li <liyt@ios.ac.cn> Wed Apr 07 19:27:41 2021 +0800
committer: GitHub <noreply@github.com> Wed Apr 07 13:27:41 2021 +0200
tree: c18d81a4f47c91c52e5cc567765576608cad9d62
parent: d36d6a9c1808e87628ebaa855d4bec80130189f4 [diff] [blame]
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index e5febe6..8363905 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py

@@ -945,7 +945,7 @@ class AbstractBasicAuthHandler:
     # (single quotes are a violation of the RFC, but appear in the wild)
     rx = re.compile('(?:^|,)'   # start of the string or ','
                     '[ \t]*'    # optional whitespaces
-                    '([^ \t]+)' # scheme like "Basic"
+                    '([^ \t,]+)' # scheme like "Basic"
                     '[ \t]+'    # mandatory whitespaces
                     # realm=xxx
                     # realm='xxx'
commit	7215d1ae25525c92b026166f9d5cac85fb1defe1	[log] [tgz]
author	Yeting Li <liyt@ios.ac.cn>	Wed Apr 07 19:27:41 2021 +0800
committer	GitHub <noreply@github.com>	Wed Apr 07 13:27:41 2021 +0200
tree	c18d81a4f47c91c52e5cc567765576608cad9d62
parent	d36d6a9c1808e87628ebaa855d4bec80130189f4 [diff] [blame]