subject:"\[issue38826\] Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler"

[issue38826] Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler

2020-03-25 Thread STINNER Victor

STINNER Victor added the comment: This issue is a duplicate of bpo-39503 which has a PR. Thanks Ben Caller for the report, I credited you in my fix ;-) -- nosy: +vstinner resolution: -> duplicate stage: -> resolved status: open -> closed superseder: -> [security][CVE-2020-8492]

[issue38826] Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler

2020-03-03 Thread Matthew Barnett

Matthew Barnett added the comment: A smaller change to the regex would be to replace the "(?:.*,)*" with "(?:[^,]*,)*". I'd also suggest using a raw string instead: rx = re.compile(r'''(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+realm=(["']?)([^"']*)\2''', re.I) -- nosy: +mrabarnett

[issue38826] Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler

2020-03-02 Thread Michał Górny

Change by Michał Górny : -- nosy: +mgorny ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue38826] Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler

2020-02-04 Thread Anselmo Melo

Change by Anselmo Melo : -- nosy: +Anselmo Melo ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue38826] Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler

2019-11-17 Thread Ben Caller

Ben Caller added the comment: I have been advised that DoS issues can be added to the public bug tracker since there is no privilege escalation, but should still have the security label. -- ___ Python tracker

[issue38826] Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler

2019-11-16 Thread Karthikeyan Singaravelan

Karthikeyan Singaravelan added the comment: Thanks for the report. Please report security issues to secur...@python.org so that the security team can analyze and triage it to be made public. More information at https://www.python.org/news/security/ -- nosy: +xtreak

[issue38826] Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler

2019-11-16 Thread Ben Caller

New submission from Ben Caller : The regular expression urllib.request.AbstractBasicAuthHandler.rx is vulnerable to malicious inputs which cause denial of service (REDoS). The regex is: rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' 'realm=(["\']?)([^"\']*)\\2',

[issue38826] Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler

[issue38826] Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler

[issue38826] Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler

[issue38826] Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler

[issue38826] Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler

[issue38826] Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler

[issue38826] Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler

7 matches

Site Navigation

Mail list logo

Footer information