From a754404f28cb521042d9b05ec3265d7413502096 Mon Sep 17 00:00:00 2001
From: JinWang An <jinwang.an@samsung.com>
Date: Tue, 28 Mar 2023 17:07:59 +0900
Subject: [PATCH] [CVE-2021-3733] Fix ReDoS in request

Change-Id: I9d4f7bf7e4ce08fe9f8165fcd16b9e17d1de193a
Signed-off-by: JinWang An <jinwang.an@samsung.com>
---
 Lib/urllib2.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Lib/urllib2.py b/Lib/urllib2.py
index 8b634ad..5848f10 100644
--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler:
 
     # allow for double- and single-quoted realm values
     # (single quotes are a violation of the RFC, but appear in the wild)
-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+    rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+'
                     'realm=(["\']?)([^"\']*)\\2', re.I)
 
     # XXX could pre-emptively send auth info already accepted (RFC 2617,
-- 
2.7.4