STINNER Victor <vstin...@python.org> added the comment:
> header = '' + ',' * (10 ** 5) I guess that a more generic protection against future attacks would be to limit the maximum length of a HTTP header. 100,000 characters for a HTTP Basic authentification does not sound reasonable. But for now, let's fix the regex. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue43075> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com