Fix ReDoS in urllib AbstractBasicAuthHandler (BPO 43075)release-pypy2.7-v7.3.5rc2

author: Matti Picus <matti.picus@gmail.com> 2021-05-05 05:41:49 +0300
committer: Matti Picus <matti.picus@gmail.com> 2021-05-05 05:41:49 +0300
commit: f14ead4dd6697a170c3a1c63b44d4ea53016bb08 (patch)
tree: a154c083730d43b8fc5e073577dd0e71e56027e0
parent: urllib.parse should sanitize urls containing ASCII newline and tabs (BPO 43882) (diff)
download: pypy-f14ead4dd6697a170c3a1c63b44d4ea53016bb08.tar.gz
pypy-f14ead4dd6697a170c3a1c63b44d4ea53016bb08.tar.bz2
pypy-f14ead4dd6697a170c3a1c63b44d4ea53016bb08.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/lib-python/2.7/urllib2.py b/lib-python/2.7/urllib2.py
index e9fdd43320..4ef844cbfa 100644
--- a/lib-python/2.7/urllib2.py
+++ b/lib-python/2.7/urllib2.py
@@ -858,7 +858,7 @@ class AbstractBasicAuthHandler:
     # (single quotes are a violation of the RFC, but appear in the wild)
     rx = re.compile('(?:^|,)'   # start of the string or ','
                     '[ \t]*'    # optional whitespaces
-                    '([^ \t]+)' # scheme like "Basic"
+                    '([^ \t,]+)' # scheme like "Basic"
                     '[ \t]+'    # mandatory whitespaces
                     # realm=xxx
                     # realm='xxx'
author	Matti Picus <matti.picus@gmail.com>	2021-05-05 05:41:49 +0300
committer	Matti Picus <matti.picus@gmail.com>	2021-05-05 05:41:49 +0300
commit	f14ead4dd6697a170c3a1c63b44d4ea53016bb08 (patch)
tree	a154c083730d43b8fc5e073577dd0e71e56027e0
parent	urllib.parse should sanitize urls containing ASCII newline and tabs (BPO 43882) (diff)
download	pypy-f14ead4dd6697a170c3a1c63b44d4ea53016bb08.tar.gz pypy-f14ead4dd6697a170c3a1c63b44d4ea53016bb08.tar.bz2 pypy-f14ead4dd6697a170c3a1c63b44d4ea53016bb08.zip