From 5c19a933c4a9b5749ca504926d225002d0ecf4206b5384ba909993f4802bbc86 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 9 Feb 2022 17:44:12 +0000 Subject: [PATCH] Actually be py2k compatible OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=314 --- CVE-2022-0391-urllib_parse-newline-parsing.patch | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/CVE-2022-0391-urllib_parse-newline-parsing.patch b/CVE-2022-0391-urllib_parse-newline-parsing.patch index 7567862..f695d85 100644 --- a/CVE-2022-0391-urllib_parse-newline-parsing.patch +++ b/CVE-2022-0391-urllib_parse-newline-parsing.patch @@ -59,9 +59,9 @@ +The presence of newline or tab characters in parts of a URL allows for some +forms of attacks. Following the WHATWG specification that updates RFC 3986, +ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the -+URL by the parser :func:`urllib.parse` preventing such attacks. The removal ++URL by the parser :func:`urlparse` preventing such attacks. The removal +characters are controlled by a new module level variable -+``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`) ++``urlparse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`) + Python 3.1 Features @@ -75,7 +75,7 @@ + def test_urlsplit_remove_unsafe_bytes(self): + # Remove ASCII tabs and newlines from input, for http common case scenario. + url = "h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" -+ p = urllib.parse.urlsplit(url) ++ p = urlparse.urlsplit(url) + self.assertEqual(p.scheme, "http") + self.assertEqual(p.netloc, "www.python.org") + self.assertEqual(p.path, "/javascript:alert('msg')/") @@ -89,7 +89,7 @@ + + # Remove ASCII tabs and newlines from input as bytes, for http common case scenario. + url = b"h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" -+ p = urllib.parse.urlsplit(url) ++ p = urlparse.urlsplit(url) + self.assertEqual(p.scheme, b"http") + self.assertEqual(p.netloc, b"www.python.org") + self.assertEqual(p.path, b"/javascript:alert('msg')/") @@ -103,12 +103,12 @@ + + # any scheme + url = "x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" -+ p = urllib.parse.urlsplit(url) ++ p = urlparse.urlsplit(url) + self.assertEqual(p.geturl(), "x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment") + + # Remove ASCII tabs and newlines from input as bytes, any scheme. + url = b"x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" -+ p = urllib.parse.urlsplit(url) ++ p = urlparse.urlsplit(url) + self.assertEqual(p.geturl(), b"x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment") + + # Unsafe bytes is not returned from urlparse cache. @@ -116,7 +116,7 @@ + url = "https://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" + scheme = "htt\nps" + for _ in range(2): -+ p = urllib.parse.urlsplit(url, scheme=scheme) ++ p = urlparse.urlsplit(url, scheme=scheme) + self.assertEqual(p.scheme, "https") + self.assertEqual(p.geturl(), "https://www.python.org/javascript:alert('msg')/?query=something#fragment") + @@ -165,5 +165,5 @@ +some forms of attacks. + +Following the controlling specification for URLs defined by WHATWG -+:func:`urllib.parse` now removes ASCII newlines and tabs from URLs, ++:func:`urlparse` now removes ASCII newlines and tabs from URLs, +preventing such attacks.