File urllib3-disallow-control-chars-in-http-urls.patch of Package python-urllib3

Overview Repositories Revisions Requests Users Attributes Meta

File urllib3-disallow-control-chars-in-http-urls.patch of Package python-urllib3

Stripped down Backport of:
https://github.com/urllib3/urllib3/pull/1591
(basically just this commit: https://github.com/urllib3/urllib3/pull/1591/commits/c147f359520cab339ec96b3ef96e471c0da261f6)
and
https://github.com/urllib3/urllib3/pull/1593

Index: urllib3-1.22/urllib3/util/url.py
===================================================================
--- urllib3-1.22.orig/urllib3/util/url.py
+++ urllib3-1.22/urllib3/util/url.py
@@ -1,7 +1,9 @@
 from __future__ import absolute_import
 from collections import namedtuple
+import re
 
 from ..exceptions import LocationParseError
+from six.moves.urllib.parse import quote
 
 
 url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
@@ -10,6 +12,8 @@ url_attrs = ['scheme', 'auth', 'host', '
 # urllib3 infers URLs without a scheme (None) to be http.
 NORMALIZABLE_SCHEMES = ('http', 'https', None)
 
+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
+
 
 class Url(namedtuple('Url', url_attrs)):
     """
@@ -155,6 +159,10 @@ def parse_url(url):
         # Empty
         return Url()
 
+    # Prevent CVE-2019-9740.
+    # adapted from https://github.com/python/cpython/pull/12755
+    url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url)
+
     scheme = None
     auth = None
     host = None
Index: urllib3-1.22/test/test_util.py
===================================================================
--- urllib3-1.22.orig/test/test_util.py
+++ urllib3-1.22/test/test_util.py
@@ -199,6 +199,27 @@ class TestUtil(object):
         with pytest.raises(ValueError):
             parse_url('[::1')
 
+    @pytest.mark.parametrize('url, expected_url', [
+        (
+            'http://localhost/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:',
+            Url('http', host='localhost', port=None,
+                path='/%20HTTP/1.1%0D%0AHEADER:%20INJECTED%0D%0AIgnore:')
+        ),
+        (
+            u'http://localhost/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:',
+            Url('http', host='localhost', port=None,
+                path='/%20HTTP/1.1%0D%0AHEADER:%20INJECTED%0D%0AIgnore:')
+        ),
+        (
+            'http://localhost/ ?q=\r\n',
+            Url('http', host='localhost', path='/%20', query='q=%0D%0A')
+        ),
+    ])
+    def test_parse_url_contains_control_characters(self, url, expected_url):
+        # see CVE-2019-9740
+        url = parse_url(url)
+        assert url == expected_url
+
     def test_Url_str(self):
         U = Url('http', host='google.com')
         assert str(U) == U.url

Places

File urllib3-disallow-control-chars-in-http-urls.patch of Package python-urllib3

Places