Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP2
python3
CVE-2023-24329-blank-URL-bypass.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-24329-blank-URL-bypass.patch of Package python3
From 378a07b49ffbdc91d3e27552af683740c40056c9 Mon Sep 17 00:00:00 2001 From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu> Date: Sat, 12 Nov 2022 15:43:33 -0500 Subject: [PATCH] [CVE-2023-24329] blocklist bypass via the urllib.parse component Blocklist bypass via the urllib.parse component when supplying a URL starting with non-alphabetic characters. Code is from gh#python/cpython!99421, it was released in 3.11.1. Fixes: bsc#1208471 Fixes: gh#99418 Patch: CVE-2023-24329-blank-URL-bypass.patch --- Lib/test/test_urlparse.py | 18 ++++++++++++++++++ Lib/urllib/parse.py | 7 ++++++- ...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 ++ 3 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py index 3509278a016..f010522e5f8 100644 --- a/Lib/test/test_urlparse.py +++ b/Lib/test/test_urlparse.py @@ -676,6 +676,24 @@ class UrlParseTestCase(unittest.TestCase): with self.assertRaises(ValueError): p.port + def test_attributes_bad_scheme(self): + """Check handling of invalid schemes.""" + for bytes in (False, True): + for parse in (urllib.parse.urlsplit, urllib.parse.urlparse): + for scheme in (".", "+", "-", "0", "http&", "६http"): + with self.subTest(bytes=bytes, parse=parse, scheme=scheme): + url = scheme + "://www.example.net" + if bytes: + if urllib.parse.isascii(url): + url = url.encode("ascii") + else: + continue + p = parse(url) + if bytes: + self.assertEqual(p.scheme, b"") + else: + self.assertEqual(p.scheme, "") + def test_attributes_without_netloc(self): # This example is straight from RFC 3261. It looks like it # should allow the username, hostname, and port to be filled diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py index ac6e7a9cee0..101a7b87989 100644 --- a/Lib/urllib/parse.py +++ b/Lib/urllib/parse.py @@ -35,6 +35,7 @@ __all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag", "urlsplit", "urlunsplit", "urlencode", "parse_qs", "parse_qsl", "quote", "quote_plus", "quote_from_bytes", "unquote", "unquote_plus", "unquote_to_bytes", + "isascii", "DefragResult", "ParseResult", "SplitResult", "DefragResultBytes", "ParseResultBytes", "SplitResultBytes"] @@ -79,6 +80,10 @@ scheme_chars = ('abcdefghijklmnopqrstuvwxyz' # Unsafe bytes to be removed per WHATWG spec _UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n'] +# Python >= 3.7 shim +def isascii(word): + return all([ord(c) < 128 for c in word]) + # XXX: Consider replacing with functools.lru_cache MAX_CACHE_SIZE = 20 _parse_cache = {} @@ -435,7 +440,7 @@ def urlsplit(url, scheme='', allow_fragments=True): clear_cache() netloc = query = fragment = '' i = url.find(':') - if i > 0: + if i > 0 and isascii(url[0]) and url[0].isalpha(): if url[:i] == 'http': # optimize the common case scheme = url[:i].lower() url = url[i+1:] diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst new file mode 100644 index 00000000000..0a06e7c5c6a --- /dev/null +++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst @@ -0,0 +1,2 @@ +Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin +with a digit, a plus sign, or a minus sign to be parsed incorrectly. -- 2.45.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor