Blame SOURCES/00346-CVE-2020-8492.patch

d7ffd7
diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
d7ffd7
index 876fcd4..fe9a32b 100644
d7ffd7
--- a/Lib/test/test_urllib2.py
d7ffd7
+++ b/Lib/test/test_urllib2.py
d7ffd7
@@ -1445,40 +1445,64 @@ class HandlerTests(unittest.TestCase):
d7ffd7
         bypass = {'exclude_simple': True, 'exceptions': []}
d7ffd7
         self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass))
d7ffd7
 
d7ffd7
-    def test_basic_auth(self, quote_char='"'):
d7ffd7
-        opener = OpenerDirector()
d7ffd7
-        password_manager = MockPasswordManager()
d7ffd7
-        auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
d7ffd7
-        realm = "ACME Widget Store"
d7ffd7
-        http_handler = MockHTTPHandler(
d7ffd7
-            401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' %
d7ffd7
-            (quote_char, realm, quote_char))
d7ffd7
-        opener.add_handler(auth_handler)
d7ffd7
-        opener.add_handler(http_handler)
d7ffd7
-        self._test_basic_auth(opener, auth_handler, "Authorization",
d7ffd7
-                              realm, http_handler, password_manager,
d7ffd7
-                              "http://acme.example.com/protected",
d7ffd7
-                              "http://acme.example.com/protected",
d7ffd7
-                              )
d7ffd7
-
d7ffd7
-    def test_basic_auth_with_single_quoted_realm(self):
d7ffd7
-        self.test_basic_auth(quote_char="'")
d7ffd7
-
d7ffd7
-    def test_basic_auth_with_unquoted_realm(self):
d7ffd7
-        opener = OpenerDirector()
d7ffd7
-        password_manager = MockPasswordManager()
d7ffd7
-        auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
d7ffd7
-        realm = "ACME Widget Store"
d7ffd7
-        http_handler = MockHTTPHandler(
d7ffd7
-            401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm)
d7ffd7
-        opener.add_handler(auth_handler)
d7ffd7
-        opener.add_handler(http_handler)
d7ffd7
-        with self.assertWarns(UserWarning):
d7ffd7
+    def check_basic_auth(self, headers, realm):
d7ffd7
+        with self.subTest(realm=realm, headers=headers):
d7ffd7
+            opener = OpenerDirector()
d7ffd7
+            password_manager = MockPasswordManager()
d7ffd7
+            auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
d7ffd7
+            body = '\r\n'.join(headers) + '\r\n\r\n'
d7ffd7
+            http_handler = MockHTTPHandler(401, body)
d7ffd7
+            opener.add_handler(auth_handler)
d7ffd7
+            opener.add_handler(http_handler)
d7ffd7
             self._test_basic_auth(opener, auth_handler, "Authorization",
d7ffd7
-                                realm, http_handler, password_manager,
d7ffd7
-                                "http://acme.example.com/protected",
d7ffd7
-                                "http://acme.example.com/protected",
d7ffd7
-                                )
d7ffd7
+                                  realm, http_handler, password_manager,
d7ffd7
+                                  "http://acme.example.com/protected",
d7ffd7
+                                  "http://acme.example.com/protected")
d7ffd7
+
d7ffd7
+    def test_basic_auth(self):
d7ffd7
+        realm = "realm2@example.com"
d7ffd7
+        realm2 = "realm2@example.com"
d7ffd7
+        basic = f'Basic realm="{realm}"'
d7ffd7
+        basic2 = f'Basic realm="{realm2}"'
d7ffd7
+        other_no_realm = 'Otherscheme xxx'
d7ffd7
+        digest = (f'Digest realm="{realm2}", '
d7ffd7
+                  f'qop="auth, auth-int", '
d7ffd7
+                  f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", '
d7ffd7
+                  f'opaque="5ccc069c403ebaf9f0171e9517f40e41"')
d7ffd7
+        for realm_str in (
d7ffd7
+            # test "quote" and 'quote'
d7ffd7
+            f'Basic realm="{realm}"',
d7ffd7
+            f"Basic realm='{realm}'",
d7ffd7
+
d7ffd7
+            # charset is ignored
d7ffd7
+            f'Basic realm="{realm}", charset="UTF-8"',
d7ffd7
+
d7ffd7
+            # Multiple challenges per header
d7ffd7
+            f'{basic}, {basic2}',
d7ffd7
+            f'{basic}, {other_no_realm}',
d7ffd7
+            f'{other_no_realm}, {basic}',
d7ffd7
+            f'{basic}, {digest}',
d7ffd7
+            f'{digest}, {basic}',
d7ffd7
+        ):
d7ffd7
+            headers = [f'WWW-Authenticate: {realm_str}']
d7ffd7
+            self.check_basic_auth(headers, realm)
d7ffd7
+
d7ffd7
+        # no quote: expect a warning
d7ffd7
+        with support.check_warnings(("Basic Auth Realm was unquoted",
d7ffd7
+                                     UserWarning)):
d7ffd7
+            headers = [f'WWW-Authenticate: Basic realm={realm}']
d7ffd7
+            self.check_basic_auth(headers, realm)
d7ffd7
+
d7ffd7
+        # Multiple headers: one challenge per header.
d7ffd7
+        # Use the first Basic realm.
d7ffd7
+        for challenges in (
d7ffd7
+            [basic,  basic2],
d7ffd7
+            [basic,  digest],
d7ffd7
+            [digest, basic],
d7ffd7
+        ):
d7ffd7
+            headers = [f'WWW-Authenticate: {challenge}'
d7ffd7
+                       for challenge in challenges]
d7ffd7
+            self.check_basic_auth(headers, realm)
d7ffd7
 
d7ffd7
     def test_proxy_basic_auth(self):
d7ffd7
         opener = OpenerDirector()
d7ffd7
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
d7ffd7
index c9945d9..6624e04 100644
d7ffd7
--- a/Lib/urllib/request.py
d7ffd7
+++ b/Lib/urllib/request.py
d7ffd7
@@ -945,8 +945,15 @@ class AbstractBasicAuthHandler:
d7ffd7
 
d7ffd7
     # allow for double- and single-quoted realm values
d7ffd7
     # (single quotes are a violation of the RFC, but appear in the wild)
d7ffd7
-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
d7ffd7
-                    'realm=(["\']?)([^"\']*)\\2', re.I)
d7ffd7
+    rx = re.compile('(?:^|,)'   # start of the string or ','
d7ffd7
+                    '[ \t]*'    # optional whitespaces
d7ffd7
+                    '([^ \t]+)' # scheme like "Basic"
d7ffd7
+                    '[ \t]+'    # mandatory whitespaces
d7ffd7
+                    # realm=xxx
d7ffd7
+                    # realm='xxx'
d7ffd7
+                    # realm="xxx"
d7ffd7
+                    'realm=(["\']?)([^"\']*)\\2',
d7ffd7
+                    re.I)
d7ffd7
 
d7ffd7
     # XXX could pre-emptively send auth info already accepted (RFC 2617,
d7ffd7
     # end of section 2, and section 1.2 immediately after "credentials"
d7ffd7
@@ -958,27 +965,51 @@ class AbstractBasicAuthHandler:
d7ffd7
         self.passwd = password_mgr
d7ffd7
         self.add_password = self.passwd.add_password
d7ffd7
 
d7ffd7
+    def _parse_realm(self, header):
d7ffd7
+        # parse WWW-Authenticate header: accept multiple challenges per header
d7ffd7
+        found_challenge = False
d7ffd7
+        for mo in AbstractBasicAuthHandler.rx.finditer(header):
d7ffd7
+            scheme, quote, realm = mo.groups()
d7ffd7
+            if quote not in ['"', "'"]:
d7ffd7
+                warnings.warn("Basic Auth Realm was unquoted",
d7ffd7
+                              UserWarning, 3)
d7ffd7
+
d7ffd7
+            yield (scheme, realm)
d7ffd7
+
d7ffd7
+            found_challenge = True
d7ffd7
+
d7ffd7
+        if not found_challenge:
d7ffd7
+            if header:
d7ffd7
+                scheme = header.split()[0]
d7ffd7
+            else:
d7ffd7
+                scheme = ''
d7ffd7
+            yield (scheme, None)
d7ffd7
+
d7ffd7
     def http_error_auth_reqed(self, authreq, host, req, headers):
d7ffd7
         # host may be an authority (without userinfo) or a URL with an
d7ffd7
         # authority
d7ffd7
-        # XXX could be multiple headers
d7ffd7
-        authreq = headers.get(authreq, None)
d7ffd7
+        headers = headers.get_all(authreq)
d7ffd7
+        if not headers:
d7ffd7
+            # no header found
d7ffd7
+            return
d7ffd7
 
d7ffd7
-        if authreq:
d7ffd7
-            scheme = authreq.split()[0]
d7ffd7
-            if scheme.lower() != 'basic':
d7ffd7
-                raise ValueError("AbstractBasicAuthHandler does not"
d7ffd7
-                                 " support the following scheme: '%s'" %
d7ffd7
-                                 scheme)
d7ffd7
-            else:
d7ffd7
-                mo = AbstractBasicAuthHandler.rx.search(authreq)
d7ffd7
-                if mo:
d7ffd7
-                    scheme, quote, realm = mo.groups()
d7ffd7
-                    if quote not in ['"',"'"]:
d7ffd7
-                        warnings.warn("Basic Auth Realm was unquoted",
d7ffd7
-                                      UserWarning, 2)
d7ffd7
-                    if scheme.lower() == 'basic':
d7ffd7
-                        return self.retry_http_basic_auth(host, req, realm)
d7ffd7
+        unsupported = None
d7ffd7
+        for header in headers:
d7ffd7
+            for scheme, realm in self._parse_realm(header):
d7ffd7
+                if scheme.lower() != 'basic':
d7ffd7
+                    unsupported = scheme
d7ffd7
+                    continue
d7ffd7
+
d7ffd7
+                if realm is not None:
d7ffd7
+                    # Use the first matching Basic challenge.
d7ffd7
+                    # Ignore following challenges even if they use the Basic
d7ffd7
+                    # scheme.
d7ffd7
+                    return self.retry_http_basic_auth(host, req, realm)
d7ffd7
+
d7ffd7
+        if unsupported is not None:
d7ffd7
+            raise ValueError("AbstractBasicAuthHandler does not "
d7ffd7
+                             "support the following scheme: %r"
d7ffd7
+                             % (scheme,))
d7ffd7
 
d7ffd7
     def retry_http_basic_auth(self, host, req, realm):
d7ffd7
         user, pw = self.passwd.find_user_password(realm, host)