[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2021-09-14 Thread STINNER Victor 


STINNER Victor  added the comment:

This issue was a security vulnerability. It's now closed, please don't comment 
closed issues. If you consider that there is a regression, please open a new 
issue.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2021-09-14 Thread tongxiaoge 


tongxiaoge  added the comment:

At the beginning of the issue, there is the following reproduction code:
from urllib.request import AbstractBasicAuthHandler
auth_handler = AbstractBasicAuthHandler()
auth_handler.http_error_auth_reqed(
'www-authenticate',
'unused',
'unused',
{
'www-authenticate': 'Basic ' + ',' * 64 + ' ' + 'foo' + ' ' +
'realm'
}
)

Here's the headers:

{
'www-authenticate': 'Basic ' + ',' * 64 + ' ' + 'foo' + ' ' +
'realm'
 }

I think this is a dict object, so the current problem is fixed and no longer 
compatible with the previous usage?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2021-09-14 Thread STINNER Victor 


STINNER Victor  added the comment:

> "headers" is a dict object? If so, the dict object does not seem to have no 
> attribute "get_all".

No, it's not a dict object.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2021-09-14 Thread tongxiaoge 


tongxiaoge  added the comment:

https://github.com/python/cpython/blob/9f93018b69d72cb48d3444554261ae3b0ea00c93/Lib/urllib/request.py#L989
"headers" is a dict object? If so, the dict object does not seem to have no 
attribute "get_all".

--
nosy: +sxt1001
versions: +Python 3.10, Python 3.11 -Python 3.5, Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-06-20 Thread Larry Hastings 


Change by Larry Hastings :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-06-20 Thread Kubilay Kocak 


Change by Kubilay Kocak :


--
nosy: +koobs

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-06-20 Thread Larry Hastings 


Larry Hastings  added the comment:


New changeset 37fe316479e0b6906a74b0c0a5e495c55037fdfd by Victor Stinner in 
branch '3.5':
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (#19305)
https://github.com/python/cpython/commit/37fe316479e0b6906a74b0c0a5e495c55037fdfd


--
nosy: +larry

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-02 Thread Ned Deily 


Ned Deily  added the comment:


New changeset 69cdeeb93e0830004a495ed854022425b93b3f3e by Victor Stinner in 
branch '3.6':
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19304)
https://github.com/python/cpython/commit/69cdeeb93e0830004a495ed854022425b93b3f3e


--
nosy: +ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-02 Thread STINNER Victor 


Change by STINNER Victor :


--
pull_requests: +18667
pull_request: https://github.com/python/cpython/pull/19305

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-02 Thread STINNER Victor 


Change by STINNER Victor :


--
pull_requests: +18666
pull_request: https://github.com/python/cpython/pull/19304

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-02 Thread STINNER Victor 


Change by STINNER Victor :


--
versions:  -Python 2.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-02 Thread Tapas Kundu 


Change by Tapas Kundu :


--
pull_requests: +18664
pull_request: https://github.com/python/cpython/pull/19302

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-02 Thread STINNER Victor 


STINNER Victor  added the comment:


New changeset b57a73694e26e8b2391731b5ee0b1be59437388e by Miss Islington (bot) 
in branch '3.7':
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19297)
https://github.com/python/cpython/commit/b57a73694e26e8b2391731b5ee0b1be59437388e


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-02 Thread STINNER Victor 


STINNER Victor  added the comment:


New changeset ea9e240aa02372440be8024acb110371f69c9d41 by Miss Islington (bot) 
in branch '3.8':
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19296)
https://github.com/python/cpython/commit/ea9e240aa02372440be8024acb110371f69c9d41


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-02 Thread Tapas Kundu 


Change by Tapas Kundu :


--
pull_requests: +18663
pull_request: https://github.com/python/cpython/pull/19301

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-02 Thread Tapas Kundu 


Change by Tapas Kundu :


--
nosy: +tapakund
nosy_count: 6.0 -> 7.0
pull_requests: +18661
pull_request: https://github.com/python/cpython/pull/19299

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-01 Thread miss-islington 


Change by miss-islington :


--
pull_requests: +18656
pull_request: https://github.com/python/cpython/pull/19297

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-01 Thread miss-islington 


Change by miss-islington :


--
pull_requests: +18655
pull_request: https://github.com/python/cpython/pull/19296

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-01 Thread STINNER Victor 


STINNER Victor  added the comment:


New changeset 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 by Victor Stinner in 
branch 'master':
bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284)
https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-01 Thread miss-islington 


Change by miss-islington :


--
nosy: +miss-islington
nosy_count: 5.0 -> 6.0
pull_requests: +18650
pull_request: https://github.com/python/cpython/pull/19291

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-01 Thread miss-islington 


Change by miss-islington :


--
pull_requests: +18651
pull_request: https://github.com/python/cpython/pull/19292

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-01 Thread Ben Caller 


Change by Ben Caller :


Removed file: https://bugs.python.org/file49022/bench_parser2.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-01 Thread Ben Caller 


Change by Ben Caller :


Added file: https://bugs.python.org/file49023/bench_parser2.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-01 Thread STINNER Victor 


STINNER Victor  added the comment:

Ooooh, I see. I didn't measure the performance of the right header. I re-run a 
benchmark using the HTTP header (repeat=15):

header = 'Basic ' + ', ' * 15 + 'A'

Now I see a major performance difference. Comparison between master ("ref") and 
PR 18284 ("fix"):

Mean +- std dev: [ref] 88.9 ms +- 2.4 ms -> [fix] 17.5 us +- 0.7 us: 5083.23x 
faster (-100%)

So the worst case is now way faster: more than 5000x faster!

It's even possible to go up to repeat=10**6 characters, it still takes less 
than 1 seconds: 412 ms +- 19 ms.

On the master branch, repeat=20 already takes around 3 seconds... The slowdown 
is exponential with repeat increase.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-04-01 Thread Ben Caller 


Ben Caller  added the comment:

Instead of

repeat_10_3 = 'Basic ' + ', ' * (10 ** 3) + simple

in the benchmark, try

repeat_10_3 = 'Basic ' + ', ' * (10 ** 3) + 'A'

--
Added file: https://bugs.python.org/file49022/bench_parser2.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-03-30 Thread STINNER Victor 


STINNER Victor  added the comment:

bench_parser.py: Benchmark for AbstractBasicAuthHandler.http_error_auth_reqed().

--
Added file: https://bugs.python.org/file49016/bench_parser.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-03-25 Thread STINNER Victor 


STINNER Victor  added the comment:

> Isn't this a duplicate of bpo-38826 ?

Oh right. I marked it as a duplicate of this issue.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-03-04 Thread Ryan Ware 


Change by Ryan Ware :


--
nosy: +ware

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-03-02 Thread Michał Górny 

Change by Michał Górny :


--
nosy: +mgorny

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-02-04 Thread Ben Caller 


Ben Caller  added the comment:

Isn't this a duplicate of bpo-38826 ?

--
nosy: +bc

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-01-31 Thread Anselmo Melo 


Change by Anselmo Melo :


--
nosy: +Anselmo Melo

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39503] [security][CVE-2020-8492] Denial of service in urllib.request.AbstractBasicAuthHandler

2020-01-30 Thread STINNER Victor 


STINNER Victor  added the comment:

CVE-2020-8492 has been assigned to this vulnerability:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-8492

--
title: [security] Denial of service in urllib.request.AbstractBasicAuthHandler 
-> [security][CVE-2020-8492] Denial of service in 
urllib.request.AbstractBasicAuthHandler

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com