Message 404767 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	sxt1001
Recipients	sxt1001
Date	2021-10-22.13:35:34
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1634909734.24.0.124969342817.issue45572@roundup.psfhosted.org>
In-reply-to

Content
The python version I currently use in my development environment is 3.7.4. Using the following script, the program has never output, and seems to have entered an infinite loop. To reproduce the issue we can use the following code: from urllib.request import AbstractBasicAuthHandler auth_handler = AbstractBasicAuthHandler() header = {'www-authenticate': 'Basic ' + ',' * 64 + ' ' + 'foo' + ' ' +'realm'} auth_handler.http_error_auth_reqed('www-authenticate','unused','unused',header) So I tried to upgrade it to version 3.7.12, and the program will directly report an error. The information is as follows: Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/local/lib/python3.7/urllib/request.py", line 990, in http_error_auth_reqed headers = headers.get_all(authreq) AttributeError: 'dict' object has no attribute 'get_all' This problem also exists when I upgrade Python 3 to 3.11.0a1. In Python version 3.7.4, the cause of program hang on seems to be a security vulnerability. Refer to https://bugs.python.org/issue39503. The reason for CVE is not the wrong type of headers. However, after repairing CVE, it seems that the type of headers is limited? For the CVE patch, I tried to only fix the part of the regular expression, and the program can run. So, after repairing CVE-2020-8492, what type should the headers parameter be for http_error_auth_reqed function? Based on the current code, how should I adapt and modify it to make it run normally?

The python version I currently use in my development environment is 3.7.4. Using the following script, the program has never output, and seems to have entered an infinite loop.

To reproduce the issue we can use the following code:

from urllib.request import AbstractBasicAuthHandler
auth_handler = AbstractBasicAuthHandler()
header = {'www-authenticate': 'Basic ' + ',' * 64 + ' ' + 'foo' + ' ' +'realm'}
auth_handler.http_error_auth_reqed('www-authenticate','unused','unused',header)




So I tried to upgrade it to version 3.7.12, and the program will directly report an error. The information is as follows:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.7/urllib/request.py", line 990, in http_error_auth_reqed
    headers = headers.get_all(authreq)
AttributeError: 'dict' object has no attribute 'get_all'

This problem also exists when I upgrade Python 3 to 3.11.0a1. In Python version 3.7.4, the cause of program hang on seems to be a security vulnerability. Refer to https://bugs.python.org/issue39503. The reason for CVE is not the wrong type of headers. However, after repairing CVE, it seems that the type of headers is limited? For the CVE patch, I tried to only fix the part of the regular expression, and the program can run. So, after repairing CVE-2020-8492, what type should the headers parameter be for http_error_auth_reqed  function? Based on the current code, how should I adapt and modify it to make it run normally?

History
Date	User	Action	Args
2021-10-22 13:35:34	sxt1001	set	recipients: + sxt1001
2021-10-22 13:35:34	sxt1001	set	messageid: <1634909734.24.0.124969342817.issue45572@roundup.psfhosted.org>
2021-10-22 13:35:34	sxt1001	link	issue45572 messages
2021-10-22 13:35:34	sxt1001	create