From 86664c9405136a4904775c52e6caf100a474ec58 Mon Sep 17 00:00:00 2001 From: Yeting Li Date: Sun, 31 Jan 2021 13:06:57 +0800 Subject: [PATCH 1/7] Fix ReDoS --- Lib/urllib/request.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py index 2a3d71554f4bfe..5e33c5d1a111c5 100644 --- a/Lib/urllib/request.py +++ b/Lib/urllib/request.py @@ -939,7 +939,7 @@ class AbstractBasicAuthHandler: # (single quotes are a violation of the RFC, but appear in the wild) rx = re.compile('(?:^|,)' # start of the string or ',' '[ \t]*' # optional whitespaces - '([^ \t]+)' # scheme like "Basic" + '([^ \t,]+)' # scheme like "Basic" '[ \t]+' # mandatory whitespaces # realm=xxx # realm='xxx' From bcb541dae7302491fabb4c4211c4177282492e12 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Sun, 31 Jan 2021 05:28:15 +0000 Subject: [PATCH 2/7] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= =?UTF-8?q?rb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst new file mode 100644 index 00000000000000..16c5ac60f6f553 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst @@ -0,0 +1 @@ +Fix ReDoS in request \ No newline at end of file From d79f2da5b60969042dc6d4cdc63160a52c6cac79 Mon Sep 17 00:00:00 2001 From: Yeting Li Date: Wed, 7 Apr 2021 14:45:42 +0800 Subject: [PATCH 3/7] Update 2021-01-31-05-28-14.bpo-43075.DoAXqO.rst --- .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst index 16c5ac60f6f553..7534929470b714 100644 --- a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst @@ -1 +1 @@ -Fix ReDoS in request \ No newline at end of file +Fix Regular Expression Denial of Service (ReDoS) vulnerability in `urllib.request`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs starting with ","*n. This issue only affects consumers using `urllib.request.AbstractBasicAuthHandler`. From 817a2c688cde400319c8f70ed62ab78d23e291ae Mon Sep 17 00:00:00 2001 From: Yeting Li Date: Wed, 7 Apr 2021 14:59:42 +0800 Subject: [PATCH 4/7] Update 2021-01-31-05-28-14.bpo-43075.DoAXqO.rst --- .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst index 7534929470b714..d098175d85d07c 100644 --- a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst @@ -1 +1 @@ -Fix Regular Expression Denial of Service (ReDoS) vulnerability in `urllib.request`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs starting with ","*n. This issue only affects consumers using `urllib.request.AbstractBasicAuthHandler`. +Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This issue only affects consumers using urllib.request.AbstractBasicAuthHandler. From d4d5b82134d5cd1518a50458fbf0780e1a7c7821 Mon Sep 17 00:00:00 2001 From: Yeting Li Date: Wed, 7 Apr 2021 18:22:00 +0800 Subject: [PATCH 5/7] Update Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst Co-authored-by: Victor Stinner --- .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst index d098175d85d07c..a420033309001e 100644 --- a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst @@ -1 +1 @@ -Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This issue only affects consumers using urllib.request.AbstractBasicAuthHandler. +Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. From 735fdcba849ad735ef33e8a14b7c03f32168bd5c Mon Sep 17 00:00:00 2001 From: Yeting Li Date: Wed, 7 Apr 2021 18:34:02 +0800 Subject: [PATCH 6/7] Update 2021-01-31-05-28-14.bpo-43075.DoAXqO.rst --- .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst index a420033309001e..d2f9913c459431 100644 --- a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst @@ -1 +1 @@ -Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. +Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client server and needs remote attackers to control the HTTP server. From fd9c7fa4162d61e34759fd7b9dd1561d70e016f2 Mon Sep 17 00:00:00 2001 From: Yeting Li Date: Wed, 7 Apr 2021 18:49:49 +0800 Subject: [PATCH 7/7] Update 2021-01-31-05-28-14.bpo-43075.DoAXqO.rst --- .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst index d2f9913c459431..1c9f727e965fb8 100644 --- a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst @@ -1 +1 @@ -Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client server and needs remote attackers to control the HTTP server. +Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.