From e29abdcb897525667c61e9aa00b4593e4232869cd7cdc77e69e223ddd0dfe100 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 9 Feb 2022 16:52:05 +0000 Subject: [PATCH] - Add CVE-2022-0391-urllib_parse-newline-parsing.patch (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs containing ASCII newline and tabs in urlparse. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=312 --- ...22-0391-urllib_parse-newline-parsing.patch | 169 ++++++++++++++++++ python-base.changes | 7 + python-base.spec | 5 + 3 files changed, 181 insertions(+) create mode 100644 CVE-2022-0391-urllib_parse-newline-parsing.patch diff --git a/CVE-2022-0391-urllib_parse-newline-parsing.patch b/CVE-2022-0391-urllib_parse-newline-parsing.patch new file mode 100644 index 0000000..7567862 --- /dev/null +++ b/CVE-2022-0391-urllib_parse-newline-parsing.patch @@ -0,0 +1,169 @@ +--- + Doc/library/urlparse.rst | 14 ++ + Doc/whatsnew/2.7.rst | 7 + + Lib/test/test_urlparse.py | 49 ++++++++++ + Lib/urlparse.py | 12 ++ + Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst | 6 + + 5 files changed, 88 insertions(+) + +--- a/Doc/library/urlparse.rst ++++ b/Doc/library/urlparse.rst +@@ -248,6 +248,10 @@ The :mod:`urlparse` module defines the f + decomposed before parsing, or is not a Unicode string, no error will be + raised. + ++ Following the `WHATWG spec`_ that updates RFC 3986, ASCII ++ newline ``\n``, ``\r`` and tab ``\t`` characters are stripped ++ from the URL. ++ + .. versionadded:: 2.2 + + .. versionchanged:: 2.5 +@@ -257,6 +261,10 @@ The :mod:`urlparse` module defines the f + Characters that affect netloc parsing under NFKC normalization will + now raise :exc:`ValueError`. + ++ .. versionchanged:: 3.6.14 ++ ASCII newline and tab characters are stripped from the URL. ++ ++.. _WHATWG spec: https://url.spec.whatwg.org/#concept-basic-url-parser + + .. function:: urlunsplit(parts) + +@@ -308,6 +316,11 @@ The :mod:`urlparse` module defines the f + + .. seealso:: + ++ `WHATWG`_ - URL Living standard ++ Working Group for the URL Standard that defines URLs, ++ domains, IP addresses, the application/x-www-form-urlencoded format, ++ and their API. ++ + :rfc:`3986` - Uniform Resource Identifiers + This is the current standard (STD66). Any changes to urlparse module + should conform to this. Certain deviations could be observed, which are +@@ -332,6 +345,7 @@ The :mod:`urlparse` module defines the f + :rfc:`1738` - Uniform Resource Locators (URL) + This specifies the formal syntax and semantics of absolute URLs. + ++.. _WHATWG: https://url.spec.whatwg.org/ + + .. _urlparse-result-object: + +--- a/Doc/whatsnew/2.7.rst ++++ b/Doc/whatsnew/2.7.rst +@@ -175,6 +175,13 @@ channel. We reuse the ftp server IP add + requiring the old behavior, set a ``trust_server_pasv_ipv4_address`` + attribute on your FTP instance to ``True``. (See :issue:`43285`) + ++The presence of newline or tab characters in parts of a URL allows for some ++forms of attacks. Following the WHATWG specification that updates RFC 3986, ++ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the ++URL by the parser :func:`urllib.parse` preventing such attacks. The removal ++characters are controlled by a new module level variable ++``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`) ++ + + Python 3.1 Features + ======================= +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -492,6 +492,55 @@ class UrlParseTestCase(unittest.TestCase + p = urlparse.urlsplit(url) + self.assertEqual(p.port, None) + ++ def test_urlsplit_remove_unsafe_bytes(self): ++ # Remove ASCII tabs and newlines from input, for http common case scenario. ++ url = "h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ p = urllib.parse.urlsplit(url) ++ self.assertEqual(p.scheme, "http") ++ self.assertEqual(p.netloc, "www.python.org") ++ self.assertEqual(p.path, "/javascript:alert('msg')/") ++ self.assertEqual(p.query, "query=something") ++ self.assertEqual(p.fragment, "fragment") ++ self.assertEqual(p.username, None) ++ self.assertEqual(p.password, None) ++ self.assertEqual(p.hostname, "www.python.org") ++ self.assertEqual(p.port, None) ++ self.assertEqual(p.geturl(), "http://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ # Remove ASCII tabs and newlines from input as bytes, for http common case scenario. ++ url = b"h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ p = urllib.parse.urlsplit(url) ++ self.assertEqual(p.scheme, b"http") ++ self.assertEqual(p.netloc, b"www.python.org") ++ self.assertEqual(p.path, b"/javascript:alert('msg')/") ++ self.assertEqual(p.query, b"query=something") ++ self.assertEqual(p.fragment, b"fragment") ++ self.assertEqual(p.username, None) ++ self.assertEqual(p.password, None) ++ self.assertEqual(p.hostname, b"www.python.org") ++ self.assertEqual(p.port, None) ++ self.assertEqual(p.geturl(), b"http://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ # any scheme ++ url = "x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ p = urllib.parse.urlsplit(url) ++ self.assertEqual(p.geturl(), "x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ # Remove ASCII tabs and newlines from input as bytes, any scheme. ++ url = b"x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ p = urllib.parse.urlsplit(url) ++ self.assertEqual(p.geturl(), b"x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ # Unsafe bytes is not returned from urlparse cache. ++ # scheme is stored after parsing, sending an scheme with unsafe bytes *will not* return an unsafe scheme ++ url = "https://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ scheme = "htt\nps" ++ for _ in range(2): ++ p = urllib.parse.urlsplit(url, scheme=scheme) ++ self.assertEqual(p.scheme, "https") ++ self.assertEqual(p.geturl(), "https://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ + def test_issue14072(self): + p1 = urlparse.urlsplit('tel:+31-641044153') + self.assertEqual(p1.scheme, 'tel') +--- a/Lib/urlparse.py ++++ b/Lib/urlparse.py +@@ -62,6 +62,9 @@ scheme_chars = ('abcdefghijklmnopqrstuvw + '0123456789' + '+-.') + ++# Unsafe bytes to be removed per WHATWG spec ++_UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n'] ++ + MAX_CACHE_SIZE = 20 + _parse_cache = {} + +@@ -184,12 +187,21 @@ def _checknetloc(netloc): + "under NFKC normalization" + % netloc) + ++ ++def _remove_unsafe_bytes_from_url(url): ++ for b in _UNSAFE_URL_BYTES_TO_REMOVE: ++ url = url.replace(b, "") ++ return url ++ ++ + def urlsplit(url, scheme='', allow_fragments=True): + """Parse a URL into 5 components: + :///?# + Return a 5-tuple: (scheme, netloc, path, query, fragment). + Note that we don't break the components up in smaller bits + (e.g. netloc is a single string) and we don't expand % escapes.""" ++ url = _remove_unsafe_bytes_from_url(url) ++ scheme = _remove_unsafe_bytes_from_url(scheme) + allow_fragments = bool(allow_fragments) + key = url, scheme, allow_fragments, type(url), type(scheme) + cached = _parse_cache.get(key, None) +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst +@@ -0,0 +1,6 @@ ++The presence of newline or tab characters in parts of a URL could allow ++some forms of attacks. ++ ++Following the controlling specification for URLs defined by WHATWG ++:func:`urllib.parse` now removes ASCII newlines and tabs from URLs, ++preventing such attacks. diff --git a/python-base.changes b/python-base.changes index d46c8e7..144c344 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Feb 9 16:49:52 UTC 2022 - Matej Cepl + +- Add CVE-2022-0391-urllib_parse-newline-parsing.patch + (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs + containing ASCII newline and tabs in urlparse. + ------------------------------------------------------------------- Sun Feb 6 07:43:11 UTC 2022 - Matej Cepl diff --git a/python-base.spec b/python-base.spec index df4b118..66c1a33 100644 --- a/python-base.spec +++ b/python-base.spec @@ -125,6 +125,10 @@ Patch67: CVE-2020-26116-httplib-header-injection.patch # PATCH-FIX-UPSTREAM CVE-2021-4189-ftplib-trust-PASV-resp.patch bsc#1194146 mcepl@suse.com # Make ftplib not trust the PASV response. (gh#python/cpython#24838) Patch68: CVE-2021-4189-ftplib-trust-PASV-resp.patch +# PATCH-FIX-UPSTREAM CVE-2022-0391-urllib_parse-newline-parsing.patch bsc#1195396 mcepl@suse.com +# whole long discussion is on bpo#43882 +# fix for santization URLs containing ASCII newline and tabs in urllib.parse +Patch69: CVE-2022-0391-urllib_parse-newline-parsing.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -260,6 +264,7 @@ other applications. %patch66 -p1 %patch67 -p1 %patch68 -p1 +%patch69 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar