- CVE-2023-24329-blank-URL-bypass.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=96

CVE-2023-24329-blank-URL-bypass.patch

@@ -1,55 +0,0 @@
-From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001
-From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
-Date: Sat, 12 Nov 2022 15:43:33 -0500
-Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting
- schemes that don't begin with an alphabetical ASCII character.
-
----
- Lib/test/test_urlparse.py                                              |   18 ++++++++++
- Lib/urllib/parse.py                                                    |    2 -
- Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst |    2 +
- 3 files changed, 21 insertions(+), 1 deletion(-)
-
---- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -727,6 +727,24 @@ class UrlParseTestCase(unittest.TestCase
-                         with self.assertRaises(ValueError):
-                             p.port
- 
-+    def test_attributes_bad_scheme(self):
-+        """Check handling of invalid schemes."""
-+        for bytes in (False, True):
-+            for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
-+                for scheme in (".", "+", "-", "0", "http&", "६http"):
-+                    with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
-+                        url = scheme + "://www.example.net"
-+                        if bytes:
-+                            if url.isascii():
-+                                url = url.encode("ascii")
-+                            else:
-+                                continue
-+                        p = parse(url)
-+                        if bytes:
-+                            self.assertEqual(p.scheme, b"")
-+                        else:
-+                            self.assertEqual(p.scheme, "")
-+
-     def test_attributes_without_netloc(self):
-         # This example is straight from RFC 3261.  It looks like it
-         # should allow the username, hostname, and port to be filled
---- a/Lib/urllib/parse.py
-+++ b/Lib/urllib/parse.py
-@@ -481,7 +481,7 @@ def urlsplit(url, scheme='', allow_fragm
-         clear_cache()
-     netloc = query = fragment = ''
-     i = url.find(':')
--    if i > 0:
-+    if i > 0 and url[0].isascii() and url[0].isalpha():
-         for c in url[:i]:
-             if c not in scheme_chars:
-                 break
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
-@@ -0,0 +1,2 @@
-+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
-+with a digit, a plus sign, or a minus sign to be parsed incorrectly.

python310.changes

@@ -24,6 +24,7 @@ Wed Jun 28 16:57:46 UTC 2023 - Matej Cepl <mcepl@suse.com>
     dangerous, such as creating files outside the destination
     directory. See Extraction filters for details.
 - Remove upstreamed patches:
+  - CVE-2023-24329-blank-URL-bypass.patch
   - CVE-2007-4559-filter-tarfile_extractall.patch
 
 -------------------------------------------------------------------

python310.spec

@@ -166,10 +166,6 @@ Patch35:        fix_configure_rst.patch
 # PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mcepl@suse.com
 # NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
 Patch36:        support-expat-CVE-2022-25236-patched.patch
-# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
-# blocklist bypass via the urllib.parse component when supplying
-# a URL that starts with blank characters
-Patch37:        CVE-2023-24329-blank-URL-bypass.patch
 # PATCH-FIX-UPSTREAM bpo-37596-make-set-marshalling.patch bsc#1211765 mcepl@suse.com
 # Make `set` and `frozenset` marshalling deterministic
 Patch39:        bpo-37596-make-set-marshalling.patch
@@ -444,7 +440,6 @@ other applications.
 %endif
 %patch35 -p1
 %patch36 -p1
-%patch37 -p1
 %patch39 -p1
 
 # drop Autoconf version requirement