diff options
author | JinWang An <jinwang.an@samsung.com> | 2023-03-28 17:07:59 +0900 |
---|---|---|
committer | JinWang An <jinwang.an@samsung.com> | 2023-03-28 17:07:59 +0900 |
commit | a754404f28cb521042d9b05ec3265d7413502096 (patch) | |
tree | b10aefb6b29a7bfb2bfb5aaedbf39598da2ed5b3 | |
parent | e256703e3186f6a23ca551637132f908131483b2 (diff) | |
download | python-a754404f28cb521042d9b05ec3265d7413502096.tar.gz python-a754404f28cb521042d9b05ec3265d7413502096.tar.bz2 python-a754404f28cb521042d9b05ec3265d7413502096.zip |
[CVE-2021-3733] Fix ReDoS in request
Change-Id: I9d4f7bf7e4ce08fe9f8165fcd16b9e17d1de193a
Signed-off-by: JinWang An <jinwang.an@samsung.com>
-rw-r--r-- | Lib/urllib2.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/Lib/urllib2.py b/Lib/urllib2.py index 8b634ad..5848f10 100644 --- a/Lib/urllib2.py +++ b/Lib/urllib2.py @@ -856,7 +856,7 @@ class AbstractBasicAuthHandler: # allow for double- and single-quoted realm values # (single quotes are a violation of the RFC, but appear in the wild) - rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' + rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+' 'realm=(["\']?)([^"\']*)\\2', re.I) # XXX could pre-emptively send auth info already accepted (RFC 2617, |