36 lines
1.4 KiB
Diff
36 lines
1.4 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Lumir Balhar <lbalhar@redhat.com>
|
|
Date: Tue, 14 Sep 2021 11:34:43 +0200
|
|
Subject: [PATCH] 00366-CVE-2021-3733.patch
|
|
|
|
00366 #
|
|
CVE-2021-3733: Fix ReDoS in urllib AbstractBasicAuthHandler
|
|
|
|
Fix Regular Expression Denial of Service (ReDoS) vulnerability in
|
|
urllib2.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
|
|
has quadratic worst-case complexity and it allows cause a denial of
|
|
service when identifying crafted invalid RFCs. This ReDoS issue is on
|
|
the client side and needs remote attackers to control the HTTP server.
|
|
|
|
Backported from Python 3 together with another backward-compatible
|
|
improvement of the regex from fix for CVE-2020-8492.
|
|
|
|
Co-authored-by: Yeting Li <liyt@ios.ac.cn>
|
|
---
|
|
Lib/urllib2.py | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/Lib/urllib2.py b/Lib/urllib2.py
|
|
index fd19e1ae943..e286583ecba 100644
|
|
--- a/Lib/urllib2.py
|
|
+++ b/Lib/urllib2.py
|
|
@@ -858,7 +858,7 @@ class AbstractBasicAuthHandler:
|
|
|
|
# allow for double- and single-quoted realm values
|
|
# (single quotes are a violation of the RFC, but appear in the wild)
|
|
- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
|
|
+ rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+'
|
|
'realm=(["\']?)([^"\']*)\\2', re.I)
|
|
|
|
# XXX could pre-emptively send auth info already accepted (RFC 2617,
|