From 33e2642505c188ec168464e8ddfd49d3ed8181f8 Mon Sep 17 00:00:00 2001
From: Shaun Lowry <shaunl@activestate.com>
Date: Fri, 7 Aug 2020 12:47:43 -0600
Subject: [PATCH] Fix CVE-2020-8492 runaway regexp

---
 Lib/urllib2.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/Lib/urllib2.py b/Lib/urllib2.py
index 8b634ada3723b6..85260b679793b6 100644
--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@@ -856,8 +856,16 @@ class AbstractBasicAuthHandler:
 
     # allow for double- and single-quoted realm values
     # (single quotes are a violation of the RFC, but appear in the wild)
-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
-                    'realm=(["\']?)([^"\']*)\\2', re.I)
+
+    rx = re.compile('(?:^|,)'    # start of the string or ','
+                    '[ \t]*'     # optional whitespaces
+                    '([^ \t]+)'  # scheme like "Basic"
+                    '[ \t]+'     # mandatory whitespaces
+                    # realm=xxx
+                    # realm='xxx'
+                    # realm="xxx"
+                    'realm=(["\']?)([^"\']*)\\2',
+                    re.I)
 
     # XXX could pre-emptively send auth info already accepted (RFC 2617,
     # end of section 2, and section 1.2 immediately after "credentials"