Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:Update
python3-base.26680
CVE-2019-10160-netloc-port-regression.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2019-10160-netloc-port-regression.patch of Package python3-base.26680
From 8d0ef0b5edeae52960c7ed05ae8a12388324f87e Mon Sep 17 00:00:00 2001 From: Steve Dower <steve.dower@python.org> Date: Tue, 4 Jun 2019 08:55:30 -0700 Subject: [PATCH] bpo-36742: Corrects fix to handle decomposition in usernames (#13812) --- Lib/test/test_urlparse.py | 11 ++++++----- Lib/urllib/parse.py | 14 +++++++++----- 2 files changed, 15 insertions(+), 10 deletions(-) --- a/Lib/test/test_urlparse.py +++ b/Lib/test/test_urlparse.py @@ -886,11 +886,12 @@ class UrlParseTestCase(unittest.TestCase self.assertIn('\uFF03', denorm_chars) for scheme in ["http", "https", "ftp"]: - for c in denorm_chars: - url = "{}://netloc{}false.netloc/path".format(scheme, c) - with self.subTest(url=url, char='{:04X}'.format(ord(c))): - with self.assertRaises(ValueError): - urllib.parse.urlsplit(url) + for netloc in ["netloc{}false.netloc", "n{}user@netloc"]: + for c in denorm_chars: + url = "{}://{}/path".format(scheme, netloc.format(c)) + with self.subTest(url=url, char='{:04X}'.format(ord(c))): + with self.assertRaises(ValueError): + urllib.parse.urlsplit(url) class Utility_Tests(unittest.TestCase): """Testcase to test the various utility functions in the urllib.""" --- a/Lib/urllib/parse.py +++ b/Lib/urllib/parse.py @@ -74,6 +74,7 @@ def clear_cache(): _parse_cache.clear() _safe_quoters.clear() +isascii = lambda s: len(s) == len(s.encode()) # Helpers for bytes handling # For 3.2, we deliberately require applications that @@ -317,18 +318,21 @@ def _splitnetloc(url, start=0): return url[start:delim], url[delim:] # return (domain, rest) def _checknetloc(netloc): - if not netloc or not any(ord(c) > 127 for c in netloc): + if not netloc or isascii(netloc): return # looking for characters like \u2100 that expand to 'a/c' # IDNA uses NFKC equivalence, so normalize for this check import unicodedata - netloc2 = unicodedata.normalize('NFKC', netloc) - if netloc == netloc2: + n = netloc.replace('@', '') # ignore characters already included + n = n.replace(':', '') # but not the surrounding text + n = n.replace('#', '') + n = n.replace('?', '') + netloc2 = unicodedata.normalize('NFKC', n) + if n == netloc2: return - _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay for c in '/?#@:': if c in netloc2: - raise ValueError("netloc '" + netloc2 + "' contains invalid " + + raise ValueError("netloc '" + netloc + "' contains invalid " + "characters under NFKC normalization") def urlsplit(url, scheme='', allow_fragments=True):
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor