diff --git a/CVE-2023-24329-blank-URL-bypass.patch b/CVE-2023-24329-blank-URL-bypass.patch deleted file mode 100644 index 23014f1..0000000 --- a/CVE-2023-24329-blank-URL-bypass.patch +++ /dev/null @@ -1,55 +0,0 @@ -From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001 -From: Ben Kallus -Date: Sat, 12 Nov 2022 15:43:33 -0500 -Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting - schemes that don't begin with an alphabetical ASCII character. - ---- - Lib/test/test_urlparse.py | 18 ++++++++++ - Lib/urllib/parse.py | 2 - - Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 + - 3 files changed, 21 insertions(+), 1 deletion(-) - ---- a/Lib/test/test_urlparse.py -+++ b/Lib/test/test_urlparse.py -@@ -727,6 +727,24 @@ class UrlParseTestCase(unittest.TestCase - with self.assertRaises(ValueError): - p.port - -+ def test_attributes_bad_scheme(self): -+ """Check handling of invalid schemes.""" -+ for bytes in (False, True): -+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse): -+ for scheme in (".", "+", "-", "0", "http&", "६http"): -+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme): -+ url = scheme + "://www.example.net" -+ if bytes: -+ if url.isascii(): -+ url = url.encode("ascii") -+ else: -+ continue -+ p = parse(url) -+ if bytes: -+ self.assertEqual(p.scheme, b"") -+ else: -+ self.assertEqual(p.scheme, "") -+ - def test_attributes_without_netloc(self): - # This example is straight from RFC 3261. It looks like it - # should allow the username, hostname, and port to be filled ---- a/Lib/urllib/parse.py -+++ b/Lib/urllib/parse.py -@@ -481,7 +481,7 @@ def urlsplit(url, scheme='', allow_fragm - clear_cache() - netloc = query = fragment = '' - i = url.find(':') -- if i > 0: -+ if i > 0 and url[0].isascii() and url[0].isalpha(): - for c in url[:i]: - if c not in scheme_chars: - break ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst -@@ -0,0 +1,2 @@ -+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin -+with a digit, a plus sign, or a minus sign to be parsed incorrectly. diff --git a/python310.changes b/python310.changes index 113574e..8751936 100644 --- a/python310.changes +++ b/python310.changes @@ -24,6 +24,7 @@ Wed Jun 28 16:57:46 UTC 2023 - Matej Cepl dangerous, such as creating files outside the destination directory. See Extraction filters for details. - Remove upstreamed patches: + - CVE-2023-24329-blank-URL-bypass.patch - CVE-2007-4559-filter-tarfile_extractall.patch ------------------------------------------------------------------- diff --git a/python310.spec b/python310.spec index e8d0f7c..4ff1b07 100644 --- a/python310.spec +++ b/python310.spec @@ -166,10 +166,6 @@ Patch35: fix_configure_rst.patch # PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mcepl@suse.com # NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236 Patch36: support-expat-CVE-2022-25236-patched.patch -# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com -# blocklist bypass via the urllib.parse component when supplying -# a URL that starts with blank characters -Patch37: CVE-2023-24329-blank-URL-bypass.patch # PATCH-FIX-UPSTREAM bpo-37596-make-set-marshalling.patch bsc#1211765 mcepl@suse.com # Make `set` and `frozenset` marshalling deterministic Patch39: bpo-37596-make-set-marshalling.patch @@ -444,7 +440,6 @@ other applications. %endif %patch35 -p1 %patch36 -p1 -%patch37 -p1 %patch39 -p1 # drop Autoconf version requirement