urllib basic auth regex denial of service¶
The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression (catastrophic backtracking) which can be exploited by an attacker to cause a denial of service.
- Disclosure date: 2019-11-17 (Python issue bpo-38826 reported)
- Reported at: 2019-11-17 (bpo-38826)
- Reported by: Ben Caller and Matt Schwager
- Python 3.5 (need commit)
- Python 3.6 (need release)
- Python 3.7 (need release)
- Python 3.8 (need release)
Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler.
- Python issue: bpo-38826
- Creation date: 2019-11-17
- Reporter: Ben Caller
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
Timeline using the disclosure date 2019-11-17 as reference:
- 2019-11-17: Python issue bpo-38826 reported by Ben Caller
- 2019-11-17 (+0 days): Reported (bpo-38826)
- 2020-01-30 (+74 days): CVE-2020-8492 published
- 2020-04-02 (+137 days): commit 0b297d4 (branch 3.9)
- 2020-04-02 (+137 days): commit b57a736 (branch 3.7)
- 2020-04-02 (+137 days): commit ea9e240 (branch 3.8)
- 2020-04-03 (+138 days): commit 69cdeeb (branch 3.6)