8aa391
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
8aa391
From: Lumir Balhar <lbalhar@redhat.com>
8aa391
Date: Tue, 14 Sep 2021 11:34:43 +0200
8aa391
Subject: [PATCH] 00366-CVE-2021-3733.patch
8aa391
8aa391
00366 #
8aa391
CVE-2021-3733: Fix ReDoS in urllib AbstractBasicAuthHandler
8aa391
8aa391
Fix Regular Expression Denial of Service (ReDoS) vulnerability in
8aa391
urllib2.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
8aa391
has quadratic worst-case complexity and it allows cause a denial of
8aa391
service when identifying crafted invalid RFCs. This ReDoS issue is on
8aa391
the client side and needs remote attackers to control the HTTP server.
8aa391
8aa391
Backported from Python 3 together with another backward-compatible
8aa391
improvement of the regex from fix for CVE-2020-8492.
8aa391
8aa391
Co-authored-by: Yeting Li <liyt@ios.ac.cn>
8aa391
---
8aa391
 Lib/urllib2.py | 2 +-
8aa391
 1 file changed, 1 insertion(+), 1 deletion(-)
8aa391
8aa391
diff --git a/Lib/urllib2.py b/Lib/urllib2.py
8aa391
index fd19e1ae943..e286583ecba 100644
8aa391
--- a/Lib/urllib2.py
8aa391
+++ b/Lib/urllib2.py
8aa391
@@ -858,7 +858,7 @@ class AbstractBasicAuthHandler:
8aa391
 
8aa391
     # allow for double- and single-quoted realm values
8aa391
     # (single quotes are a violation of the RFC, but appear in the wild)
8aa391
-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
8aa391
+    rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+'
8aa391
                     'realm=(["\']?)([^"\']*)\\2', re.I)
8aa391
 
8aa391
     # XXX could pre-emptively send auth info already accepted (RFC 2617,