From 602adbc0164714bb31ca14efbff203a0c8056389e3b8eb059c4521fce7f2970e Mon Sep 17 00:00:00 2001
From: Matej Cepl <mcepl@suse.com>
Date: Wed, 1 Mar 2023 21:21:46 +0000
Subject: [PATCH] - Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, 
  bsc#1208471) blocklists bypass via the urllib.parse component   when
 supplying a URL that starts with blank characters

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=76
---
 CVE-2023-24329-blank-URL-bypass.patch | 55 +++++++++++++++++++++++++++
 python310.changes                     |  3 ++
 python310.spec                        |  5 +++
 3 files changed, 63 insertions(+)
 create mode 100644 CVE-2023-24329-blank-URL-bypass.patch

diff --git a/CVE-2023-24329-blank-URL-bypass.patch b/CVE-2023-24329-blank-URL-bypass.patch
new file mode 100644
index 0000000..d88dcfe
--- /dev/null
+++ b/CVE-2023-24329-blank-URL-bypass.patch
@@ -0,0 +1,55 @@
+From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001
+From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
+Date: Sat, 12 Nov 2022 15:43:33 -0500
+Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting
+ schemes that don't begin with an alphabetical ASCII character.
+
+---
+ Lib/test/test_urlparse.py                                              |   18 ++++++++++
+ Lib/urllib/parse.py                                                    |    2 -
+ Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst |    2 +
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -668,6 +668,24 @@ class UrlParseTestCase(unittest.TestCase
+                         with self.assertRaises(ValueError):
+                             p.port
+ 
++    def test_attributes_bad_scheme(self):
++        """Check handling of invalid schemes."""
++        for bytes in (False, True):
++            for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
++                for scheme in (".", "+", "-", "0", "http&", "६http"):
++                    with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
++                        url = scheme + "://www.example.net"
++                        if bytes:
++                            if url.isascii():
++                                url = url.encode("ascii")
++                            else:
++                                continue
++                        p = parse(url)
++                        if bytes:
++                            self.assertEqual(p.scheme, b"")
++                        else:
++                            self.assertEqual(p.scheme, "")
++
+     def test_attributes_without_netloc(self):
+         # This example is straight from RFC 3261.  It looks like it
+         # should allow the username, hostname, and port to be filled
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragm
+         clear_cache()
+     netloc = query = fragment = ''
+     i = url.find(':')
+-    if i > 0:
++    if i > 0 and url[0].isascii() and url[0].isalpha():
+         for c in url[:i]:
+             if c not in scheme_chars:
+                 break
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
+@@ -0,0 +1,2 @@
++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
++with a digit, a plus sign, or a minus sign to be parsed incorrectly.
diff --git a/python310.changes b/python310.changes
index 8ec8421..d1b3655 100644
--- a/python310.changes
+++ b/python310.changes
@@ -4,6 +4,9 @@ Wed Mar  1 20:59:04 UTC 2023 - Matej Cepl <mcepl@suse.com>
 - Update to 3.10.10:
   Bug fixes and regressions handling, no change of behaviour and
   no security bugs fixed.
+- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
+  bsc#1208471) blocklists bypass via the urllib.parse component
+  when supplying a URL that starts with blank characters
 
 -------------------------------------------------------------------
 Tue Feb 21 11:34:49 UTC 2023 - Matej Cepl <mcepl@suse.com>
diff --git a/python310.spec b/python310.spec
index 024c3c0..7efabd2 100644
--- a/python310.spec
+++ b/python310.spec
@@ -166,6 +166,10 @@ Patch35:        fix_configure_rst.patch
 # PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mcepl@suse.com
 # NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
 Patch36:        support-expat-CVE-2022-25236-patched.patch
+# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
+# blocklist bypass via the urllib.parse component when supplying
+# a URL that starts with blank characters
+Patch37:        CVE-2023-24329-blank-URL-bypass.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -438,6 +442,7 @@ other applications.
 %endif
 %patch35 -p1
 %patch36 -p1
+%patch37 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac