This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients orsenthil, serhiy.storchaka, vstinner, yetingli
Date 2021-04-07.10:59:29
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1617793169.33.0.308238233599.issue43075@roundup.psfhosted.org>
In-reply-to
Content
> header = '' + ',' * (10 ** 5)

I guess that a more generic protection against future attacks would be to limit the maximum length of a HTTP header. 100,000 characters for a HTTP Basic authentification does not sound reasonable.

But for now, let's fix the regex.
History
Date User Action Args
2021-04-07 10:59:29vstinnersetrecipients: + vstinner, orsenthil, serhiy.storchaka, yetingli
2021-04-07 10:59:29vstinnersetmessageid: <1617793169.33.0.308238233599.issue43075@roundup.psfhosted.org>
2021-04-07 10:59:29vstinnerlinkissue43075 messages
2021-04-07 10:59:29vstinnercreate