From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Tue, 14 Sep 2021 11:34:43 +0200 Subject: [PATCH] 00366-CVE-2021-3733.patch 00366 # CVE-2021-3733: Fix ReDoS in urllib AbstractBasicAuthHandler Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib2.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. Backported from Python 3 together with another backward-compatible improvement of the regex from fix for CVE-2020-8492. Co-authored-by: Yeting Li --- Lib/urllib2.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/urllib2.py b/Lib/urllib2.py index fd19e1ae943..e286583ecba 100644 --- a/Lib/urllib2.py +++ b/Lib/urllib2.py @@ -858,7 +858,7 @@ class AbstractBasicAuthHandler: # allow for double- and single-quoted realm values # (single quotes are a violation of the RFC, but appear in the wild) - rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' + rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+' 'realm=(["\']?)([^"\']*)\\2', re.I) # XXX could pre-emptively send auth info already accepted (RFC 2617,