[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler
tongxiaoge
report at bugs.python.org
Tue Sep 14 06:33:05 EDT 2021
tongxiaoge <shixuantong at huawei.com> added the comment:
At the beginning of the issue, there is the following reproduction code:
from urllib.request import AbstractBasicAuthHandler
auth_handler = AbstractBasicAuthHandler()
auth_handler.http_error_auth_reqed(
'www-authenticate',
'unused',
'unused',
{
'www-authenticate': 'Basic ' + ',' * 64 + ' ' + 'foo' + ' ' +
'realm'
}
)
Here's the headers:
{
'www-authenticate': 'Basic ' + ',' * 64 + ' ' + 'foo' + ' ' +
'realm'
}
I think this is a dict object, so the current problem is fixed and no longer compatible with the previous usage?
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue39503>
_______________________________________
More information about the Python-bugs-list
mailing list