diff --git a/CVE-2023-24329-blank-URL-bypass.patch b/CVE-2023-24329-blank-URL-bypass.patch new file mode 100644 index 0000000..fba2c16 --- /dev/null +++ b/CVE-2023-24329-blank-URL-bypass.patch @@ -0,0 +1,55 @@ +From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001 +From: Ben Kallus +Date: Sat, 12 Nov 2022 15:43:33 -0500 +Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting + schemes that don't begin with an alphabetical ASCII character. + +--- + Lib/test/test_urlparse.py | 18 ++++++++++ + Lib/urllib/parse.py | 2 - + Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 + + 3 files changed, 21 insertions(+), 1 deletion(-) + +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -676,6 +676,24 @@ class UrlParseTestCase(unittest.TestCase + with self.assertRaises(ValueError): + p.port + ++ def test_attributes_bad_scheme(self): ++ """Check handling of invalid schemes.""" ++ for bytes in (False, True): ++ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse): ++ for scheme in (".", "+", "-", "0", "http&", "६http"): ++ with self.subTest(bytes=bytes, parse=parse, scheme=scheme): ++ url = scheme + "://www.example.net" ++ if bytes: ++ if url.isascii(): ++ url = url.encode("ascii") ++ else: ++ continue ++ p = parse(url) ++ if bytes: ++ self.assertEqual(p.scheme, b"") ++ else: ++ self.assertEqual(p.scheme, "") ++ + def test_attributes_without_netloc(self): + # This example is straight from RFC 3261. It looks like it + # should allow the username, hostname, and port to be filled +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -440,7 +440,7 @@ def urlsplit(url, scheme='', allow_fragm + clear_cache() + netloc = query = fragment = '' + i = url.find(':') +- if i > 0: ++ if i > 0 and url[0].isascii() and url[0].isalpha(): + if url[:i] == 'http': # optimize the common case + url = url[i+1:] + if url[:2] == '//': +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst +@@ -0,0 +1,2 @@ ++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin ++with a digit, a plus sign, or a minus sign to be parsed incorrectly. diff --git a/python38.changes b/python38.changes index 2ed33c8..4f501c8 100644 --- a/python38.changes +++ b/python38.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Mar 1 14:43:31 UTC 2023 - Matej Cepl + +- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, + bsc#1208471) blocklists bypass via the urllib.parse component + when supplying a URL that starts with blank characters + ------------------------------------------------------------------- Tue Feb 21 11:34:49 UTC 2023 - Matej Cepl diff --git a/python38.spec b/python38.spec index 347a339..ac69c87 100644 --- a/python38.spec +++ b/python38.spec @@ -176,6 +176,10 @@ Patch37: platlibdir-in-sys.patch # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com # this patch makes things totally awesome Patch38: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch +# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com +# blocklist bypass via the urllib.parse component when supplying +# a URL that starts with blank characters +Patch39: CVE-2023-24329-blank-URL-bypass.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -448,6 +452,7 @@ other applications. %patch36 -p1 %patch37 -p1 %patch38 -p1 +%patch39 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac