diff --git a/CVE-2025-0938-sq-brackets-domain-names.patch b/CVE-2025-0938-sq-brackets-domain-names.patch new file mode 100644 index 0000000..fd7a90a --- /dev/null +++ b/CVE-2025-0938-sq-brackets-domain-names.patch @@ -0,0 +1,127 @@ +From d91e2c740890837edafaee24d68112b776cda9c5 Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson +Date: Fri, 31 Jan 2025 11:41:34 -0600 +Subject: [PATCH] gh-105704: Disallow square brackets (`[` and `]`) in domain + names for parsed URLs (GH-129418) + +* gh-105704: Disallow square brackets ( and ) in domain names for parsed URLs + +* Use Sphinx references + +Co-authored-by: Peter Bierma + +* Add mismatched bracket test cases, fix news format + +* Add more test coverage for ports + +--------- + +(cherry picked from commit d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a) + +Co-authored-by: Seth Michael Larson +Co-authored-by: Peter Bierma +--- + Lib/test/test_urlparse.py | 37 +++++++++- + Lib/urllib/parse.py | 20 ++++- + Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst | 4 + + 3 files changed, 58 insertions(+), 3 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst + +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -1146,16 +1146,51 @@ class UrlParseTestCase(unittest.TestCase + self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query') + self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query') + self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]/') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix/') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]?') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix?') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]/') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix/') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]?') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix?') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a1') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a1') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:1a') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:1a') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:/') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:?') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@prefix.[v6a.ip]') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@[v6a.ip].suffix') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip]') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip[') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip].suffix') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip[suffix') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[suffix') + + def test_splitting_bracketed_hosts(self): +- p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query') ++ p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]:1234/path?query') + self.assertEqual(p1.hostname, 'v6a.ip') + self.assertEqual(p1.username, 'user') + self.assertEqual(p1.path, '/path') ++ self.assertEqual(p1.port, 1234) + p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query') + self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test') + self.assertEqual(p2.username, 'user') + self.assertEqual(p2.path, '/path') ++ self.assertIs(p2.port, None) + p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query') + self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146%test') + self.assertEqual(p3.username, 'user') +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -443,6 +443,23 @@ def _checknetloc(netloc): + raise ValueError("netloc '" + netloc + "' contains invalid " + + "characters under NFKC normalization") + ++def _check_bracketed_netloc(netloc): ++ # Note that this function must mirror the splitting ++ # done in NetlocResultMixins._hostinfo(). ++ hostname_and_port = netloc.rpartition('@')[2] ++ before_bracket, have_open_br, bracketed = hostname_and_port.partition('[') ++ if have_open_br: ++ # No data is allowed before a bracket. ++ if before_bracket: ++ raise ValueError("Invalid IPv6 URL") ++ hostname, _, port = bracketed.partition(']') ++ # No data is allowed after the bracket but before the port delimiter. ++ if port and not port.startswith(":"): ++ raise ValueError("Invalid IPv6 URL") ++ else: ++ hostname, _, port = hostname_and_port.partition(':') ++ _check_bracketed_host(hostname) ++ + # Valid bracketed hosts are defined in + # https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/ + def _check_bracketed_host(hostname): +@@ -506,8 +523,7 @@ def urlsplit(url, scheme='', allow_fragm + (']' in netloc and '[' not in netloc)): + raise ValueError("Invalid IPv6 URL") + if '[' in netloc and ']' in netloc: +- bracketed_host = netloc.partition('[')[2].partition(']')[0] +- _check_bracketed_host(bracketed_host) ++ _check_bracketed_netloc(netloc) + if allow_fragments and '#' in url: + url, fragment = url.split('#', 1) + if '?' in url: +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst +@@ -0,0 +1,4 @@ ++When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` host ++parsing would not reject domain names containing square brackets (``[`` and ++``]``). Square brackets are only valid for IPv6 and IPvFuture hosts according to ++`RFC 3986 Section 3.2.2 `__. diff --git a/python39.changes b/python39.changes index 4e045e0..e1d10ba 100644 --- a/python39.changes +++ b/python39.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Feb 4 14:43:13 UTC 2025 - Matej Cepl + +- Add CVE-2025-0938-sq-brackets-domain-names.patch which + disallows square brackets ([ and ]) in domain names for parsed + URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704) + ------------------------------------------------------------------- Wed Dec 4 19:51:41 UTC 2024 - Matej Cepl diff --git a/python39.spec b/python39.spec index b734a65..00d651b 100644 --- a/python39.spec +++ b/python39.spec @@ -1,7 +1,7 @@ # # spec file for package python39 # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -194,6 +194,9 @@ Patch50: gh120226-fix-sendfile-test-kernel-610.patch # PATCH-FIX-UPSTREAM sphinx-802.patch mcepl@suse.com # status_iterator method moved between the Sphinx versions Patch51: sphinx-802.patch +# PATCH-FIX-UPSTREAM CVE-2025-0938-sq-brackets-domain-names.patch bsc#1236705 mcepl@suse.com +# functions `urllib.parse.urlsplit` and `urlparse` accept domain names including square brackets +Patch52: CVE-2025-0938-sq-brackets-domain-names.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -433,39 +436,40 @@ other applications. %prep %setup -q -n %{tarname} -%patch -P 02 -p1 -%patch -P 06 -p1 -%patch -P 07 -p1 -%patch -P 08 -p1 -%patch -P 09 -p1 -%patch -P 15 -p1 -%patch -P 25 -p1 -%patch -P 29 -p1 -%patch -P 32 -p1 +%patch -p1 -P 02 +%patch -p1 -P 06 +%patch -p1 -P 07 +%patch -p1 -P 08 +%patch -p1 -P 09 +%patch -p1 -P 15 +%patch -p1 -P 25 +%patch -p1 -P 29 +%patch -p1 -P 32 %if 0%{?sle_version} -%patch -P 33 -p1 -%patch -P 34 -p1 +%patch -p1 -P 33 +%patch -p1 -P 34 %endif %if %{with mpdecimal} -%patch -P 35 -p1 +%patch -p1 -P 35 %endif -%patch -P 40 -p1 -%patch -P 41 -p1 -%patch -P 42 -p1 -%patch -P 43 -p1 -%patch -P 44 -p1 -%patch -P 45 -p1 +%patch -p1 -P 40 +%patch -p1 -P 41 +%patch -p1 -P 42 +%patch -p1 -P 43 +%patch -p1 -P 44 +%patch -p1 -P 45 %if 0%{?sle_version} && 0%{?sle_version} <= 150500 %patch -p1 -P 46 %endif -%patch -P 47 -p1 -%patch -P 48 -p1 -%patch -P 50 -p1 -%patch -P 51 -p1 +%patch -p1 -P 47 +%patch -p1 -P 48 +%patch -p1 -P 50 +%patch -p1 -P 51 +%patch -p1 -P 52 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac