Fix inefficient and insufficient regex for WWW-Authenticate

David Fraser · David Fraser · commit f79379c7e082 · 2020-02-21T15:20:38.000+02:00
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking.

Note that the original regex was roughly O(2**n)
The search for commas and spaces is unnecessary
(and insufficient to ensure that this starts a new scheme).
Replace with a simpler search for an initial scheme, since
we already check that the text starts with 'basic'.

Vulnerability reported by Matt Schwager.
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
@@ -937,7 +937,7 @@ class AbstractBasicAuthHandler:
 
     # allow for double- and single-quoted realm values
     # (single quotes are a violation of the RFC, but appear in the wild)
-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+    rx = re.compile('^([^ \t]+)[ \t]+'
                     'realm=(["\']?)([^"\']*)\\2', re.I)
 
     # XXX could pre-emptively send auth info already accepted (RFC 2617,
