➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2021-10-22 13:35 by sxt1001, last changed 2022-04-11 14:59 by admin.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| 3.7.4 hang on.png | sxt1001, 2021-10-22 13:35 | |||
| 3.7.4 fix Regex ok.png | sxt1001, 2021-10-22 13:37 | |||
| 3.7.12 fail.png | sxt1001, 2021-10-22 13:39 | |||
| 3.11.0a1 fail.png | sxt1001, 2021-10-22 13:43 | |||
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 30814 | open | andrei.avk, 2022-01-23 00:27 | |
| Messages (3) | |||
|---|---|---|---|
| msg404767 - (view) | Author: tongxiaoge (sxt1001) | Date: 2021-10-22 13:35 | |
The python version I currently use in my development environment is 3.7.4. Using the following script, the program has never output, and seems to have entered an infinite loop.
To reproduce the issue we can use the following code:
from urllib.request import AbstractBasicAuthHandler
auth_handler = AbstractBasicAuthHandler()
header = {'www-authenticate': 'Basic ' + ',' * 64 + ' ' + 'foo' + ' ' +'realm'}
auth_handler.http_error_auth_reqed('www-authenticate','unused','unused',header)
So I tried to upgrade it to version 3.7.12, and the program will directly report an error. The information is as follows:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python3.7/urllib/request.py", line 990, in http_error_auth_reqed
headers = headers.get_all(authreq)
AttributeError: 'dict' object has no attribute 'get_all'
This problem also exists when I upgrade Python 3 to 3.11.0a1. In Python version 3.7.4, the cause of program hang on seems to be a security vulnerability. Refer to https://bugs.python.org/issue39503. The reason for CVE is not the wrong type of headers. However, after repairing CVE, it seems that the type of headers is limited? For the CVE patch, I tried to only fix the part of the regular expression, and the program can run. So, after repairing CVE-2020-8492, what type should the headers parameter be for http_error_auth_reqed function? Based on the current code, how should I adapt and modify it to make it run normally?
|
|||
| msg406813 - (view) | Author: Andrei Kulakov (andrei.avk) *  |
Date: 2021-11-23 02:45 | |
I'm not sure about the hang in 3.7 and CVE, but as far as `get_all()` error is concerned, it's due to passing the wrong kind of argument as `headers`.
For this (undocumented) method, `headers` should be a Message object created in this way, e.g.:
headers = email.message_from_string(
'Content-type: %s\nContent-length: %d\nLast-modified: %s\n' %
(mtype or 'text/plain', size, modified))
(see https://github.com/python/cpython/blob/024209401ebc8a011f242af00efdd8ecece6953d/Lib/urllib/request.py#L1509)
Header obj created in this way does have the `get_all()` method, and I tested that the method runs without further errors.
|
|||
| msg411318 - (view) | Author: Andrei Kulakov (andrei.avk) * |
Date: 2022-01-23 00:31 | |
I was wrong that the method is undocumented, it is documented but it doesn't explain the type of *headers* param. The headers can also be more easily created using `email.message.Message()`. I've added the PR documenting this param. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:51 | admin | set | github: 89735 |
| 2022-01-23 00:57:40 | vstinner | set | nosy:
- vstinner |
| 2022-01-23 00:31:09 | andrei.avk | set | messages: + msg411318 |
| 2022-01-23 00:27:11 | andrei.avk | set | keywords:
+ patch stage: patch review pull_requests: + pull_request29001 |
| 2021-11-23 02:45:29 | andrei.avk | set | nosy:
+ kj, andrei.avk messages: + msg406813 |
| 2021-10-22 13:54:57 | sxt1001 | set | nosy:
+ vstinner |
| 2021-10-22 13:43:39 | sxt1001 | set | files: + 3.11.0a1 fail.png |
| 2021-10-22 13:39:41 | sxt1001 | set | files: + 3.7.12 fail.png |
| 2021-10-22 13:37:45 | sxt1001 | set | files: + 3.7.4 fix Regex ok.png |
| 2021-10-22 13:35:34 | sxt1001 | create | |