--- /dev/null
+From 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@python.org>
+Date: Thu, 2 Apr 2020 02:52:20 +0200
+Subject: [PATCH] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler
+ (GH-18284)
+
+Upstream-Status: Backport
+(https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
+
+CVE: CVE-2020-8492
+
+The AbstractBasicAuthHandler class of the urllib.request module uses
+an inefficient regular expression which can be exploited by an
+attacker to cause a denial of service. Fix the regex to prevent the
+catastrophic backtracking. Vulnerability reported by Ben Caller
+and Matt Schwager.
+
+AbstractBasicAuthHandler of urllib.request now parses all
+WWW-Authenticate HTTP headers and accepts multiple challenges per
+header: use the realm of the first Basic challenge.
+
+Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ Lib/test/test_urllib2.py | 90 ++++++++++++-------
+ Lib/urllib/request.py | 69 ++++++++++----
+ .../2020-03-25-16-02-16.bpo-39503.YmMbYn.rst | 3 +
+ .../2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 5 ++
+ 4 files changed, 115 insertions(+), 52 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
+ create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+
+diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
+index 8abedaac98..e69ac3e213 100644
+--- a/Lib/test/test_urllib2.py
++++ b/Lib/test/test_urllib2.py
+@@ -1446,40 +1446,64 @@ class HandlerTests(unittest.TestCase):
+ bypass = {'exclude_simple': True, 'exceptions': []}
+ self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass))
+
+- def test_basic_auth(self, quote_char='"'):
+- opener = OpenerDirector()
+- password_manager = MockPasswordManager()
+- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
+- realm = "ACME Widget Store"
+- http_handler = MockHTTPHandler(
+- 401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' %
+- (quote_char, realm, quote_char))
+- opener.add_handler(auth_handler)
+- opener.add_handler(http_handler)
+- self._test_basic_auth(opener, auth_handler, "Authorization",
+- realm, http_handler, password_manager,
+- "http://acme.example.com/protected",
+- "http://acme.example.com/protected",
+- )
+-
+- def test_basic_auth_with_single_quoted_realm(self):
+- self.test_basic_auth(quote_char="'")
+-
+- def test_basic_auth_with_unquoted_realm(self):
+- opener = OpenerDirector()
+- password_manager = MockPasswordManager()
+- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
+- realm = "ACME Widget Store"
+- http_handler = MockHTTPHandler(
+- 401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm)
+- opener.add_handler(auth_handler)
+- opener.add_handler(http_handler)
+- with self.assertWarns(UserWarning):
++ def check_basic_auth(self, headers, realm):
++ with self.subTest(realm=realm, headers=headers):
++ opener = OpenerDirector()
++ password_manager = MockPasswordManager()
++ auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
++ body = '\r\n'.join(headers) + '\r\n\r\n'
++ http_handler = MockHTTPHandler(401, body)
++ opener.add_handler(auth_handler)
++ opener.add_handler(http_handler)
+ self._test_basic_auth(opener, auth_handler, "Authorization",
+- realm, http_handler, password_manager,
+- "http://acme.example.com/protected",
+- "http://acme.example.com/protected",
+- )
++ realm, http_handler, password_manager,
++ "http://acme.example.com/protected",
++ "http://acme.example.com/protected")
++
++ def test_basic_auth(self):
++ realm = "realm2@example.com"
++ realm2 = "realm2@example.com"
++ basic = f'Basic realm="{realm}"'
++ basic2 = f'Basic realm="{realm2}"'
++ other_no_realm = 'Otherscheme xxx'
++ digest = (f'Digest realm="{realm2}", '
++ f'qop="auth, auth-int", '
++ f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", '
++ f'opaque="5ccc069c403ebaf9f0171e9517f40e41"')
++ for realm_str in (
++ # test "quote" and 'quote'
++ f'Basic realm="{realm}"',
++ f"Basic realm='{realm}'",
++
++ # charset is ignored
++ f'Basic realm="{realm}", charset="UTF-8"',
++
++ # Multiple challenges per header
++ f'{basic}, {basic2}',
++ f'{basic}, {other_no_realm}',
++ f'{other_no_realm}, {basic}',
++ f'{basic}, {digest}',
++ f'{digest}, {basic}',
++ ):
++ headers = [f'WWW-Authenticate: {realm_str}']
++ self.check_basic_auth(headers, realm)
++
++ # no quote: expect a warning
++ with support.check_warnings(("Basic Auth Realm was unquoted",
++ UserWarning)):
++ headers = [f'WWW-Authenticate: Basic realm={realm}']
++ self.check_basic_auth(headers, realm)
++
++ # Multiple headers: one challenge per header.
++ # Use the first Basic realm.
++ for challenges in (
++ [basic, basic2],
++ [basic, digest],
++ [digest, basic],
++ ):
++ headers = [f'WWW-Authenticate: {challenge}'
++ for challenge in challenges]
++ self.check_basic_auth(headers, realm)
+
+ def test_proxy_basic_auth(self):
+ opener = OpenerDirector()
+diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
+index 7fe50535da..2a3d71554f 100644
+--- a/Lib/urllib/request.py
++++ b/Lib/urllib/request.py
+@@ -937,8 +937,15 @@ class AbstractBasicAuthHandler:
+
+ # allow for double- and single-quoted realm values
+ # (single quotes are a violation of the RFC, but appear in the wild)
+- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+- 'realm=(["\']?)([^"\']*)\\2', re.I)
++ rx = re.compile('(?:^|,)' # start of the string or ','
++ '[ \t]*' # optional whitespaces
++ '([^ \t]+)' # scheme like "Basic"
++ '[ \t]+' # mandatory whitespaces
++ # realm=xxx
++ # realm='xxx'
++ # realm="xxx"
++ 'realm=(["\']?)([^"\']*)\\2',
++ re.I)
+
+ # XXX could pre-emptively send auth info already accepted (RFC 2617,
+ # end of section 2, and section 1.2 immediately after "credentials"
+@@ -950,27 +957,51 @@ class AbstractBasicAuthHandler:
+ self.passwd = password_mgr
+ self.add_password = self.passwd.add_password
+
++ def _parse_realm(self, header):
++ # parse WWW-Authenticate header: accept multiple challenges per header
++ found_challenge = False
++ for mo in AbstractBasicAuthHandler.rx.finditer(header):
++ scheme, quote, realm = mo.groups()
++ if quote not in ['"', "'"]:
++ warnings.warn("Basic Auth Realm was unquoted",
++ UserWarning, 3)
++
++ yield (scheme, realm)
++
++ found_challenge = True
++
++ if not found_challenge:
++ if header:
++ scheme = header.split()[0]
++ else:
++ scheme = ''
++ yield (scheme, None)
++
+ def http_error_auth_reqed(self, authreq, host, req, headers):
+ # host may be an authority (without userinfo) or a URL with an
+ # authority
+- # XXX could be multiple headers
+- authreq = headers.get(authreq, None)
++ headers = headers.get_all(authreq)
++ if not headers:
++ # no header found
++ return
+
+- if authreq:
+- scheme = authreq.split()[0]
+- if scheme.lower() != 'basic':
+- raise ValueError("AbstractBasicAuthHandler does not"
+- " support the following scheme: '%s'" %
+- scheme)
+- else:
+- mo = AbstractBasicAuthHandler.rx.search(authreq)
+- if mo:
+- scheme, quote, realm = mo.groups()
+- if quote not in ['"',"'"]:
+- warnings.warn("Basic Auth Realm was unquoted",
+- UserWarning, 2)
+- if scheme.lower() == 'basic':
+- return self.retry_http_basic_auth(host, req, realm)
++ unsupported = None
++ for header in headers:
++ for scheme, realm in self._parse_realm(header):
++ if scheme.lower() != 'basic':
++ unsupported = scheme
++ continue
++
++ if realm is not None:
++ # Use the first matching Basic challenge.
++ # Ignore following challenges even if they use the Basic
++ # scheme.
++ return self.retry_http_basic_auth(host, req, realm)
++
++ if unsupported is not None:
++ raise ValueError("AbstractBasicAuthHandler does not "
++ "support the following scheme: %r"
++ % (scheme,))
+
+ def retry_http_basic_auth(self, host, req, realm):
+ user, pw = self.passwd.find_user_password(realm, host)
+diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
+new file mode 100644
+index 0000000000..be80ce79d9
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
+@@ -0,0 +1,3 @@
++:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request`
++now parses all WWW-Authenticate HTTP headers and accepts multiple challenges
++per header: use the realm of the first Basic challenge.
+diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+new file mode 100644
+index 0000000000..9f2800581c
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+@@ -0,0 +1,5 @@
++CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
++:mod:`urllib.request` module uses an inefficient regular expression which can
++be exploited by an attacker to cause a denial of service. Fix the regex to
++prevent the catastrophic backtracking. Vulnerability reported by Ben Caller
++and Matt Schwager.
+--
+2.24.1
+
