- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,

bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=343

CVE-2023-24329-blank-URL-bypass.patch

@@ -0,0 +1,51 @@
+---
+ Lib/test/test_urlparse.py                                             |   20 ++++++++++
+ Lib/urlparse.py                                                       |    2 -
+ Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs |    2 +
+ 3 files changed, 23 insertions(+), 1 deletion(-)
+
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -592,6 +592,26 @@ class UrlParseTestCase(unittest.TestCase
+         self.assertEqual(p.netloc, "www.example.net:foo")
+         self.assertRaises(ValueError, lambda: p.port)
+ 
++    def do_attributes_bad_scheme(self, bytes, parse, scheme):
++        url = scheme + "://www.example.net"
++        if bytes:
++            if url.isascii():
++                url = url.encode("ascii")
++            else:
++                continue
++        p = parse(url)
++        if bytes:
++            self.assertEqual(p.scheme, b"")
++        else:
++            self.assertEqual(p.scheme, "")
++
++    def test_attributes_bad_scheme(self):
++        """Check handling of invalid schemes."""
++        for bytes in (False, True):
++            for parse in (urlparse.urlsplit, urlparse.urlparse):
++                for scheme in (".", "+", "-", "0", "http&", "६http"):
++                    self.do_attributes_bad_scheme(bytes, parse, scheme)
++
+     def test_attributes_without_netloc(self):
+         # This example is straight from RFC 3261.  It looks like it
+         # should allow the username, hostname, and port to be filled
+--- a/Lib/urlparse.py
++++ b/Lib/urlparse.py
+@@ -211,7 +211,7 @@ def urlsplit(url, scheme='', allow_fragm
+         clear_cache()
+     netloc = query = fragment = ''
+     i = url.find(':')
+-    if i > 0:
++    if i > 0 and url[0].isascii() and url[0].isalpha():
+         if url[:i] == 'http': # optimize the common case
+             scheme = url[:i].lower()
+             url = url[i+1:]
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs
+@@ -0,0 +1,2 @@
++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
++with a digit, a plus sign, or a minus sign to be parsed incorrectly.

python-base.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Mar  1 14:43:31 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
+  bsc#1208471) blocklists bypass via the urllib.parse component
+  when supplying a URL that starts with blank characters
+
 -------------------------------------------------------------------
 Fri Jan 27 15:00:21 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
 

python-base.spec

@@ -142,6 +142,10 @@ Patch73:        CVE-2022-45061-DoS-by-IDNA-decode.patch
 # PATCH-FIX-UPSTREAM skip_unverified_test.patch mcepl@suse.com
 # switching verification off on the old SLE doesn't work
 Patch74:        skip_unverified_test.patch
+# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
+# blocklist bypass via the urllib.parse component when supplying
+# a URL that starts with blank characters
+Patch75:        CVE-2023-24329-blank-URL-bypass.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@@ -287,6 +291,7 @@ other applications.
 %if 0%{?sle_version} && 0%{?sle_version} < 150000
 %patch74 -p1
 %endif
+%patch75 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar