forked from pool/python310
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
bsc#1208471) blocklists bypass via the urllib.parse component when supplying a URL that starts with blank characters OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=76
This commit is contained in:
Git OBS Bridge
parent
a60c90b1d7
commit
602adbc016
55
CVE-2023-24329-blank-URL-bypass.patch
Normal file
55
CVE-2023-24329-blank-URL-bypass.patch
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
|
||||||
|
Date: Sat, 12 Nov 2022 15:43:33 -0500
|
||||||
|
Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting
|
||||||
|
schemes that don't begin with an alphabetical ASCII character.
|
||||||
|
|
||||||
|
---
|
||||||
|
Lib/test/test_urlparse.py | 18 ++++++++++
|
||||||
|
Lib/urllib/parse.py | 2 -
|
||||||
|
Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 +
|
||||||
|
3 files changed, 21 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/Lib/test/test_urlparse.py
|
||||||
|
+++ b/Lib/test/test_urlparse.py
|
||||||
|
@@ -668,6 +668,24 @@ class UrlParseTestCase(unittest.TestCase
|
||||||
|
with self.assertRaises(ValueError):
|
||||||
|
p.port
|
||||||
|
|
||||||
|
+ def test_attributes_bad_scheme(self):
|
||||||
|
+ """Check handling of invalid schemes."""
|
||||||
|
+ for bytes in (False, True):
|
||||||
|
+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
|
||||||
|
+ for scheme in (".", "+", "-", "0", "http&", "६http"):
|
||||||
|
+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
|
||||||
|
+ url = scheme + "://www.example.net"
|
||||||
|
+ if bytes:
|
||||||
|
+ if url.isascii():
|
||||||
|
+ url = url.encode("ascii")
|
||||||
|
+ else:
|
||||||
|
+ continue
|
||||||
|
+ p = parse(url)
|
||||||
|
+ if bytes:
|
||||||
|
+ self.assertEqual(p.scheme, b"")
|
||||||
|
+ else:
|
||||||
|
+ self.assertEqual(p.scheme, "")
|
||||||
|
+
|
||||||
|
def test_attributes_without_netloc(self):
|
||||||
|
# This example is straight from RFC 3261. It looks like it
|
||||||
|
# should allow the username, hostname, and port to be filled
|
||||||
|
--- a/Lib/urllib/parse.py
|
||||||
|
+++ b/Lib/urllib/parse.py
|
||||||
|
@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragm
|
||||||
|
clear_cache()
|
||||||
|
netloc = query = fragment = ''
|
||||||
|
i = url.find(':')
|
||||||
|
- if i > 0:
|
||||||
|
+ if i > 0 and url[0].isascii() and url[0].isalpha():
|
||||||
|
for c in url[:i]:
|
||||||
|
if c not in scheme_chars:
|
||||||
|
break
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
|
||||||
|
+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
|
||||||
@ -4,6 +4,9 @@ Wed Mar 1 20:59:04 UTC 2023 - Matej Cepl <mcepl@suse.com>
|
|||||||
- Update to 3.10.10:
|
- Update to 3.10.10:
|
||||||
Bug fixes and regressions handling, no change of behaviour and
|
Bug fixes and regressions handling, no change of behaviour and
|
||||||
no security bugs fixed.
|
no security bugs fixed.
|
||||||
|
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
|
||||||
|
bsc#1208471) blocklists bypass via the urllib.parse component
|
||||||
|
when supplying a URL that starts with blank characters
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Feb 21 11:34:49 UTC 2023 - Matej Cepl <mcepl@suse.com>
|
Tue Feb 21 11:34:49 UTC 2023 - Matej Cepl <mcepl@suse.com>
|
||||||
|
|||||||
@ -166,6 +166,10 @@ Patch35: fix_configure_rst.patch
|
|||||||
# PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mcepl@suse.com
|
# PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mcepl@suse.com
|
||||||
# NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
|
# NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
|
||||||
Patch36: support-expat-CVE-2022-25236-patched.patch
|
Patch36: support-expat-CVE-2022-25236-patched.patch
|
||||||
|
# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
|
||||||
|
# blocklist bypass via the urllib.parse component when supplying
|
||||||
|
# a URL that starts with blank characters
|
||||||
|
Patch37: CVE-2023-24329-blank-URL-bypass.patch
|
||||||
BuildRequires: autoconf-archive
|
BuildRequires: autoconf-archive
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
@ -438,6 +442,7 @@ other applications.
|
|||||||
%endif
|
%endif
|
||||||
%patch35 -p1
|
%patch35 -p1
|
||||||
%patch36 -p1
|
%patch36 -p1
|
||||||
|
%patch37 -p1
|
||||||
|
|
||||||
# drop Autoconf version requirement
|
# drop Autoconf version requirement
|
||||||
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user