From 7215d1ae25525c92b026166f9d5cac85fb1defe1 Mon Sep 17 00:00:00 2001 From: Yeting Li Date: Wed, 7 Apr 2021 19:27:41 +0800 Subject: [PATCH] bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. --- Lib/urllib/request.py | 2 +- .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py index e5febe61f556d3..8363905f20fa35 100644 --- a/Lib/urllib/request.py +++ b/Lib/urllib/request.py @@ -945,7 +945,7 @@ class AbstractBasicAuthHandler: # (single quotes are a violation of the RFC, but appear in the wild) rx = re.compile('(?:^|,)' # start of the string or ',' '[ \t]*' # optional whitespaces - '([^ \t]+)' # scheme like "Basic" + '([^ \t,]+)' # scheme like "Basic" '[ \t]+' # mandatory whitespaces # realm=xxx # realm='xxx' diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst new file mode 100644 index 00000000000000..1c9f727e965fb8 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst @@ -0,0 +1 @@ +Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.