Skip to content

Commit

Permalink
bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391)
Browse files Browse the repository at this point in the history 
Fix Regular Expression Denial of Service (ReDoS) vulnerability in
urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
has quadratic worst-case complexity and it allows cause a denial of
service when identifying crafted invalid RFCs. This ReDoS issue is on
the client side and needs remote attackers to control the HTTP server.
  • Loading branch information
@yetingli
yetingli authored Apr 7, 2021
1 parent d36d6a9 commit 7215d1a
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 1 deletion.
2 changes: 1 addition & 1 deletion Lib/urllib/request.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -945,7 +945,7 @@ class AbstractBasicAuthHandler:
# (single quotes are a violation of the RFC, but appear in the wild)
rx = re.compile('(?:^|,)' # start of the string or ','
'[ \t]*' # optional whitespaces
'([^ \t]+)' # scheme like "Basic"
'([^ \t,]+)' # scheme like "Basic"
'[ \t]+' # mandatory whitespaces
# realm=xxx
# realm='xxx'
Expand Down
1 change: 1 addition & 0 deletions Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

0 comments on commit 7215d1a

Please sign in to comment.