Message404767
The python version I currently use in my development environment is 3.7.4. Using the following script, the program has never output, and seems to have entered an infinite loop.
To reproduce the issue we can use the following code:
from urllib.request import AbstractBasicAuthHandler
auth_handler = AbstractBasicAuthHandler()
header = {'www-authenticate': 'Basic ' + ',' * 64 + ' ' + 'foo' + ' ' +'realm'}
auth_handler.http_error_auth_reqed('www-authenticate','unused','unused',header)
So I tried to upgrade it to version 3.7.12, and the program will directly report an error. The information is as follows:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python3.7/urllib/request.py", line 990, in http_error_auth_reqed
headers = headers.get_all(authreq)
AttributeError: 'dict' object has no attribute 'get_all'
This problem also exists when I upgrade Python 3 to 3.11.0a1. In Python version 3.7.4, the cause of program hang on seems to be a security vulnerability. Refer to https://bugs.python.org/issue39503. The reason for CVE is not the wrong type of headers. However, after repairing CVE, it seems that the type of headers is limited? For the CVE patch, I tried to only fix the part of the regular expression, and the program can run. So, after repairing CVE-2020-8492, what type should the headers parameter be for http_error_auth_reqed function? Based on the current code, how should I adapt and modify it to make it run normally? |
|
Date |
User |
Action |
Args |
2021-10-22 13:35:34 | sxt1001 | set | recipients:
+ sxt1001 |
2021-10-22 13:35:34 | sxt1001 | set | messageid: <1634909734.24.0.124969342817.issue45572@roundup.psfhosted.org> |
2021-10-22 13:35:34 | sxt1001 | link | issue45572 messages |
2021-10-22 13:35:34 | sxt1001 | create | |
|