|
 |
0b7fb1 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
0b7fb1 |
From: Lumir Balhar <lbalhar@redhat.com>
|
|
|
0b7fb1 |
Date: Tue, 14 Sep 2021 11:34:43 +0200
|
|
|
0b7fb1 |
Subject: [PATCH] 00366-CVE-2021-3733.patch
|
|
|
0b7fb1 |
|
|
|
0b7fb1 |
00366 #
|
|
|
0b7fb1 |
CVE-2021-3733: Fix ReDoS in urllib AbstractBasicAuthHandler
|
|
|
0b7fb1 |
|
|
|
0b7fb1 |
Fix Regular Expression Denial of Service (ReDoS) vulnerability in
|
|
|
0b7fb1 |
urllib2.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
|
|
|
0b7fb1 |
has quadratic worst-case complexity and it allows cause a denial of
|
|
|
0b7fb1 |
service when identifying crafted invalid RFCs. This ReDoS issue is on
|
|
|
0b7fb1 |
the client side and needs remote attackers to control the HTTP server.
|
|
|
0b7fb1 |
|
|
|
0b7fb1 |
Backported from Python 3 together with another backward-compatible
|
|
|
0b7fb1 |
improvement of the regex from fix for CVE-2020-8492.
|
|
|
0b7fb1 |
|
|
|
0b7fb1 |
Co-authored-by: Yeting Li <liyt@ios.ac.cn>
|
|
|
0b7fb1 |
---
|
|
|
0b7fb1 |
Lib/urllib2.py | 2 +-
|
|
|
0b7fb1 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
0b7fb1 |
|
|
|
0b7fb1 |
diff --git a/Lib/urllib2.py b/Lib/urllib2.py
|
|
|
0b7fb1 |
index fd19e1ae943..e286583ecba 100644
|
|
|
0b7fb1 |
--- a/Lib/urllib2.py
|
|
|
0b7fb1 |
+++ b/Lib/urllib2.py
|
|
|
0b7fb1 |
@@ -858,7 +858,7 @@ class AbstractBasicAuthHandler:
|
|
|
0b7fb1 |
|
|
|
0b7fb1 |
# allow for double- and single-quoted realm values
|
|
|
0b7fb1 |
# (single quotes are a violation of the RFC, but appear in the wild)
|
|
|
0b7fb1 |
- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
|
|
|
0b7fb1 |
+ rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+'
|
|
|
0b7fb1 |
'realm=(["\']?)([^"\']*)\\2', re.I)
|
|
|
0b7fb1 |
|
|
|
0b7fb1 |
# XXX could pre-emptively send auth info already accepted (RFC 2617,
|