python310/CVE-2023-24329-blank-URL-bypass.patch

From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001
From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
Date: Sat, 12 Nov 2022 15:43:33 -0500
Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting
 schemes that don't begin with an alphabetical ASCII character.

---
 Lib/test/test_urlparse.py                                              |   18 ++++++++++
 Lib/urllib/parse.py                                                    |    2 -
 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst |    2 +
 3 files changed, 21 insertions(+), 1 deletion(-)

--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -668,6 +668,24 @@ class UrlParseTestCase(unittest.TestCase
                         with self.assertRaises(ValueError):
                             p.port
 
+    def test_attributes_bad_scheme(self):
+        """Check handling of invalid schemes."""
+        for bytes in (False, True):
+            for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
+                for scheme in (".", "+", "-", "0", "http&", "६http"):
+                    with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
+                        url = scheme + "://www.example.net"
+                        if bytes:
+                            if url.isascii():
+                                url = url.encode("ascii")
+                            else:
+                                continue
+                        p = parse(url)
+                        if bytes:
+                            self.assertEqual(p.scheme, b"")
+                        else:
+                            self.assertEqual(p.scheme, "")
+
     def test_attributes_without_netloc(self):
         # This example is straight from RFC 3261.  It looks like it
         # should allow the username, hostname, and port to be filled
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragm
         clear_cache()
     netloc = query = fragment = ''
     i = url.find(':')
-    if i > 0:
+    if i > 0 and url[0].isascii() and url[0].isalpha():
         for c in url[:i]:
             if c not in scheme_chars:
                 break
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
@@ -0,0 +1,2 @@
+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, bsc#1208471) blocklists bypass via the urllib.parse component when supplying a URL that starts with blank characters OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=76 2023-03-01 22:21:46 +01:00			`From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001`
			`From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>`
			`Date: Sat, 12 Nov 2022 15:43:33 -0500`
			`Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting`
			`schemes that don't begin with an alphabetical ASCII character.`

			`---`
			`Lib/test/test_urlparse.py \| 18 ++++++++++`
			`Lib/urllib/parse.py \| 2 -`
			`Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst \| 2 +`
			`3 files changed, 21 insertions(+), 1 deletion(-)`

			`--- a/Lib/test/test_urlparse.py`
			`+++ b/Lib/test/test_urlparse.py`
			`@@ -668,6 +668,24 @@ class UrlParseTestCase(unittest.TestCase`
			`with self.assertRaises(ValueError):`
			`p.port`

			`+ def test_attributes_bad_scheme(self):`
			`+ """Check handling of invalid schemes."""`
			`+ for bytes in (False, True):`
			`+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):`
			`+ for scheme in (".", "+", "-", "0", "http&", "६http"):`
			`+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme):`
			`+ url = scheme + "://www.example.net"`
			`+ if bytes:`
			`+ if url.isascii():`
			`+ url = url.encode("ascii")`
			`+ else:`
			`+ continue`
			`+ p = parse(url)`
			`+ if bytes:`
			`+ self.assertEqual(p.scheme, b"")`
			`+ else:`
			`+ self.assertEqual(p.scheme, "")`
			`+`
			`def test_attributes_without_netloc(self):`
			`# This example is straight from RFC 3261. It looks like it`
			`# should allow the username, hostname, and port to be filled`
			`--- a/Lib/urllib/parse.py`
			`+++ b/Lib/urllib/parse.py`
			`@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragm`
			`clear_cache()`
			`netloc = query = fragment = ''`
			`i = url.find(':')`
			`- if i > 0:`
			`+ if i > 0 and url[0].isascii() and url[0].isalpha():`
			`for c in url[:i]:`
			`if c not in scheme_chars:`
			`break`
			`--- /dev/null`
			`+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst`
			`@@ -0,0 +1,2 @@`
			+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
			`+with a digit, a plus sign, or a minus sign to be parsed incorrectly.`