From: JinWang An <jinwang.an@samsung.com>
Date: Tue, 28 Mar 2023 08:07:59 +0000 (+0900)
Subject: [CVE-2021-3733] Fix ReDoS in request
X-Git-Tag: accepted/tizen/8.0/base/20231005.045056~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a754404f28cb521042d9b05ec3265d7413502096;p=platform%2Fupstream%2Fpython.git

[CVE-2021-3733] Fix ReDoS in request

Change-Id: I9d4f7bf7e4ce08fe9f8165fcd16b9e17d1de193a
Signed-off-by: JinWang An <jinwang.an@samsung.com>
---

diff --git a/Lib/urllib2.py b/Lib/urllib2.py
index 8b634ad..5848f10 100644
--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler:
 
     # allow for double- and single-quoted realm values
     # (single quotes are a violation of the RFC, but appear in the wild)
-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+    rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+'
                     'realm=(["\']?)([^"\']*)\\2', re.I)
 
     # XXX could pre-emptively send auth info already accepted (RFC 2617,