def check_basic_auth(self, headers, realm):

with self.subTest(realm=realm, headers=headers):

opener = OpenerDirector()

password_manager = MockPasswordManager()

auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)

body = '\r\n'.join(headers) + '\r\n\r\n'

http_handler = MockHTTPHandler(401, body)

opener.add_handler(auth_handler)

opener.add_handler(http_handler)

realm, http_handler, password_manager,

"http://acme.example.com/protected",

"http://acme.example.com/protected")

def test_basic_auth(self):

realm = "[email protected]"

realm2 = "[email protected]"

basic = f'Basic realm="{realm}"'

basic2 = f'Basic realm="{realm2}"'

other_no_realm = 'Otherscheme xxx'

digest = (f'Digest realm="{realm2}", '

f'qop="auth, auth-int", '

f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", '

f'opaque="5ccc069c403ebaf9f0171e9517f40e41"')

for realm_str in (

# test "quote" and 'quote'

f'Basic realm="{realm}"',

f"Basic realm='{realm}'",

# charset is ignored

f'Basic realm="{realm}", charset="UTF-8"',

# Multiple challenges per header

f'{basic}, {basic2}',

f'{basic}, {other_no_realm}',

f'{other_no_realm}, {basic}',

f'{basic}, {digest}',

f'{digest}, {basic}',

):

headers = [f'WWW-Authenticate: {realm_str}']

self.check_basic_auth(headers, realm)

# no quote: expect a warning

with support.check_warnings(("Basic Auth Realm was unquoted",

UserWarning)):

headers = [f'WWW-Authenticate: Basic realm={realm}']

self.check_basic_auth(headers, realm)

# Multiple headers: one challenge per header.

# Use the first Basic realm.

for challenges in (

[basic, basic2],

[basic, digest],

[digest, basic],

):

headers = [f'WWW-Authenticate: {challenge}'

for challenge in challenges]

self.check_basic_auth(headers, realm)

rx = re.compile('(?:^|,)' # start of the string or ','

'[ \t]*' # optional whitespaces

'([^ \t]+)' # scheme like "Basic"

'[ \t]+' # mandatory whitespaces

# realm=xxx

# realm='xxx'

# realm="xxx"

'realm=(["\']?)([^"\']*)\\2',

re.I)

def _parse_realm(self, header):

# parse WWW-Authenticate header: accept multiple challenges per header

found_challenge = False

for mo in AbstractBasicAuthHandler.rx.finditer(header):

scheme, quote, realm = mo.groups()

if quote not in ['"', "'"]:

warnings.warn("Basic Auth Realm was unquoted",

UserWarning, 3)

yield (scheme, realm)

found_challenge = True

if not found_challenge:

if header:

scheme = header.split()[0]

else:

scheme = ''

yield (scheme, None)

headers = headers.get_all(authreq)

if not headers:

# no header found

return

unsupported = None

for header in headers:

for scheme, realm in self._parse_realm(header):

if scheme.lower() != 'basic':

unsupported = scheme

continue

if realm is not None:

# Use the first matching Basic challenge.

# Ignore following challenges even if they use the Basic

# scheme.

return self.retry_http_basic_auth(host, req, realm)

if unsupported is not None:

raise ValueError("AbstractBasicAuthHandler does not "

"support the following scheme: %r"

% (scheme,))

:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request`

now parses all WWW-Authenticate HTTP headers and accepts multiple challenges

per header: use the realm of the first Basic challenge.

CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the

:mod:`urllib.request` module uses an inefficient regular expression which can

be exploited by an attacker to cause a denial of service. Fix the regex to

prevent the catastrophic backtracking. Vulnerability reported by Ben Caller

and Matt Schwager.