File: CVE-2020-8492.diff

package info (click to toggle)

python3.7 3.7.3-2%2Bdeb10u3

links: PTS, VCS
area: main
in suites: buster
size: 92,344 kB
sloc: python: 547,375; ansic: 419,805; sh: 4,593; cpp: 3,449; makefile: 1,772; asm: 1,602; objc: 761; lisp: 502; pascal: 341; javascript: 313; xml: 76; csh: 21

file content (25 lines) | stat: -rw-r--r-- 1,146 bytes

Backport of b57a73694e26e8b2391731b5ee0b1be59437388e to only cover
the CVE-2020-8492 fix without the AbstractBasicAuthHandler change

diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index 0d3f9670fef40..4f42919b09eae 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -944,8 +944,15 @@ class AbstractBasicAuthHandler:
 
     # allow for double- and single-quoted realm values
     # (single quotes are a violation of the RFC, but appear in the wild)
-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
-                    'realm=(["\']?)([^"\']*)\\2', re.I)
+    rx = re.compile('(?:^|,)'   # start of the string or ','
+                    '[ \t]*'    # optional whitespaces
+                    '([^ \t]+)' # scheme like "Basic"
+                    '[ \t]+'    # mandatory whitespaces
+                    # realm=xxx
+                    # realm='xxx'
+                    # realm="xxx"
+                    'realm=(["\']?)([^"\']*)\\2',
+                    re.I)
 
     # XXX could pre-emptively send auth info already accepted (RFC 2617,
     # end of section 2, and section 1.2 immediately after "credentials"