- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,

bsc#1208471) blocklists bypass via the urllib.parse component when supplying a URL that starts with blank characters OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=343
2023-03-01 22:00:56 +00:00 · 2023-03-01 22:00:56 +00:00 · c21db0430f
commit c21db0430f
parent ea48fe2e7a
3 changed files with 63 additions and 0 deletions
--- a/CVE-2023-24329-blank-URL-bypass.patch
+++ b/CVE-2023-24329-blank-URL-bypass.patch
@ -0,0 +1,51 @@
+---
+ Lib/test/test_urlparse.py                                             |   20 ++++++++++
+ Lib/urlparse.py                                                       |    2 -
+ Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs |    2 +
+ 3 files changed, 23 insertions(+), 1 deletion(-)
+
+--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
+@@ -592,6 +592,26 @@ class UrlParseTestCase(unittest.TestCase
+         self.assertEqual(p.netloc, "www.example.net:foo")
+         self.assertRaises(ValueError, lambda: p.port)
+ 
+    def do_attributes_bad_scheme(self, bytes, parse, scheme):
+        url = scheme + "://www.example.net"
+        if bytes:
+            if url.isascii():
+                url = url.encode("ascii")
+            else:
+                continue
+        p = parse(url)
+        if bytes:
+            self.assertEqual(p.scheme, b"")
+        else:
+            self.assertEqual(p.scheme, "")
+
+    def test_attributes_bad_scheme(self):
+        """Check handling of invalid schemes."""
+        for bytes in (False, True):
+            for parse in (urlparse.urlsplit, urlparse.urlparse):
+                for scheme in (".", "+", "-", "0", "http&", "६http"):
+                    self.do_attributes_bad_scheme(bytes, parse, scheme)
+
+     def test_attributes_without_netloc(self):
+         # This example is straight from RFC 3261.  It looks like it
+         # should allow the username, hostname, and port to be filled
+--- a/Lib/urlparse.py
+++ b/Lib/urlparse.py
+@@ -211,7 +211,7 @@ def urlsplit(url, scheme='', allow_fragm
+         clear_cache()
+     netloc = query = fragment = ''
+     i = url.find(':')
+-    if i > 0:
+    if i > 0 and url[0].isascii() and url[0].isalpha():
+         if url[:i] == 'http': # optimize the common case
+             scheme = url[:i].lower()
+             url = url[i+1:]
+--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs
+@@ -0,0 +1,2 @@
+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
--- a/python-base.changes
+++ b/python-base.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Mar  1 14:43:31 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
+  bsc#1208471) blocklists bypass via the urllib.parse component
+  when supplying a URL that starts with blank characters
+
 -------------------------------------------------------------------
 Fri Jan 27 15:00:21 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>

--- a/python-base.spec
+++ b/python-base.spec
@ -142,6 +142,10 @@ Patch73:        CVE-2022-45061-DoS-by-IDNA-decode.patch
 # PATCH-FIX-UPSTREAM skip_unverified_test.patch mcepl@suse.com
 # switching verification off on the old SLE doesn't work
 Patch74:        skip_unverified_test.patch
+# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
+# blocklist bypass via the urllib.parse component when supplying
+# a URL that starts with blank characters
+Patch75:        CVE-2023-24329-blank-URL-bypass.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@ -287,6 +291,7 @@ other applications.
 %if 0%{?sle_version} && 0%{?sle_version} < 150000
 %patch74 -p1
 %endif
+%patch75 -p1

 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar