From 86664c9405136a4904775c52e6caf100a474ec58 Mon Sep 17 00:00:00 2001 From: Yeting Li Date: Sun, 31 Jan 2021 13:06:57 +0800 Subject: [PATCH 1/7] Fix ReDoS --- Lib/urllib/request.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py index 2a3d71554f4bfe4..5e33c5d1a111c5e 100644 --- a/Lib/urllib/request.py +++ b/Lib/urllib/request.py @@ -939,7 +939,7 @@ class AbstractBasicAuthHandler: # (single quotes are a violation of the RFC, but appear in the wild) rx = re.compile('(?:^|,)' # start of the string or ',' '[ \t]*' # optional whitespaces - '([^ \t]+)' # scheme like "Basic" + '([^ \t,]+)' # scheme like "Basic" '[ \t]+' # mandatory whitespaces # realm=xxx # realm='xxx' From bcb541dae7302491fabb4c4211c4177282492e12 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Sun, 31 Jan 2021 05:28:15 +0000 Subject: [PATCH 2/7] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= =?UTF-8?q?rb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst new file mode 100644 index 000000000000000..16c5ac60f6f553d --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst @@ -0,0 +1 @@ +Fix ReDoS in request \ No newline at end of file From d79f2da5b60969042dc6d4cdc63160a52c6cac79 Mon Sep 17 00:00:00 2001 From: Yeting Li Date: Wed, 7 Apr 2021 14:45:42 +0800 Subject: [PATCH 3/7] Update 2021-01-31-05-28-14.bpo-43075.DoAXqO.rst --- .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst index 16c5ac60f6f553d..7534929470b714e 100644 --- a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst @@ -1 +1 @@ -Fix ReDoS in request \ No newline at end of file +Fix Regular Expression Denial of Service (ReDoS) vulnerability in `urllib.request`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs starting with ","*n. This issue only affects consumers using `urllib.request.AbstractBasicAuthHandler`. From 817a2c688cde400319c8f70ed62ab78d23e291ae Mon Sep 17 00:00:00 2001 From: Yeting Li Date: Wed, 7 Apr 2021 14:59:42 +0800 Subject: [PATCH 4/7] Update 2021-01-31-05-28-14.bpo-43075.DoAXqO.rst --- .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst index 7534929470b714e..d098175d85d07ca 100644 --- a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst @@ -1 +1 @@ -Fix Regular Expression Denial of Service (ReDoS) vulnerability in `urllib.request`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs starting with ","*n. This issue only affects consumers using `urllib.request.AbstractBasicAuthHandler`. +Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This issue only affects consumers using urllib.request.AbstractBasicAuthHandler. From d4d5b82134d5cd1518a50458fbf0780e1a7c7821 Mon Sep 17 00:00:00 2001 From: Yeting Li Date: Wed, 7 Apr 2021 18:22:00 +0800 Subject: [PATCH 5/7] Update Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst Co-authored-by: Victor Stinner --- .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst index d098175d85d07ca..a420033309001e2 100644 --- a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst @@ -1 +1 @@ -Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This issue only affects consumers using urllib.request.AbstractBasicAuthHandler. +Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. From 735fdcba849ad735ef33e8a14b7c03f32168bd5c Mon Sep 17 00:00:00 2001 From: Yeting Li Date: Wed, 7 Apr 2021 18:34:02 +0800 Subject: [PATCH 6/7] Update 2021-01-31-05-28-14.bpo-43075.DoAXqO.rst --- .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst index a420033309001e2..d2f9913c4594312 100644 --- a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst @@ -1 +1 @@ -Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. +Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client server and needs remote attackers to control the HTTP server. From fd9c7fa4162d61e34759fd7b9dd1561d70e016f2 Mon Sep 17 00:00:00 2001 From: Yeting Li Date: Wed, 7 Apr 2021 18:49:49 +0800 Subject: [PATCH 7/7] Update 2021-01-31-05-28-14.bpo-43075.DoAXqO.rst --- .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst index d2f9913c4594312..1c9f727e965fb81 100644 --- a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst @@ -1 +1 @@ -Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client server and needs remote attackers to control the HTTP server. +Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.