[CVE-2021-3733] Fix ReDoS in request

Change-Id: I9d4f7bf7e4ce08fe9f8165fcd16b9e17d1de193a Signed-off-by: JinWang An <jinwang.an@samsung.com>
author: JinWang An <jinwang.an@samsung.com> 2023-03-28 17:07:59 +0900
committer: JinWang An <jinwang.an@samsung.com> 2023-03-28 17:07:59 +0900
commit: a754404f28cb521042d9b05ec3265d7413502096 (patch)
tree: b10aefb6b29a7bfb2bfb5aaedbf39598da2ed5b3
parent: e256703e3186f6a23ca551637132f908131483b2 (diff)
download: python-a754404f28cb521042d9b05ec3265d7413502096.tar.gz
python-a754404f28cb521042d9b05ec3265d7413502096.tar.bz2
python-a754404f28cb521042d9b05ec3265d7413502096.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/Lib/urllib2.py b/Lib/urllib2.py
index 8b634ad..5848f10 100644
--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler:
 
     # allow for double- and single-quoted realm values
     # (single quotes are a violation of the RFC, but appear in the wild)
-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+    rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+'
                     'realm=(["\']?)([^"\']*)\\2', re.I)
 
     # XXX could pre-emptively send auth info already accepted (RFC 2617,
author	JinWang An <jinwang.an@samsung.com>	2023-03-28 17:07:59 +0900
committer	JinWang An <jinwang.an@samsung.com>	2023-03-28 17:07:59 +0900
commit	a754404f28cb521042d9b05ec3265d7413502096 (patch)
tree	b10aefb6b29a7bfb2bfb5aaedbf39598da2ed5b3
parent	e256703e3186f6a23ca551637132f908131483b2 (diff)
download	python-a754404f28cb521042d9b05ec3265d7413502096.tar.gz python-a754404f28cb521042d9b05ec3265d7413502096.tar.bz2 python-a754404f28cb521042d9b05ec3265d7413502096.zip