forked from pool/python310
Matej Cepl
402f3ae924
- gh-103142: The version of OpenSSL used in Windows and
Mac installers has been upgraded to 1.1.1u to address
CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464,
as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303
fixed previously in 1.1.1t (gh-101727).
- gh-102153: urllib.parse.urlsplit() now strips leading C0
control and space characters following the specification for
URLs defined by WHATWG in response to CVE-2023-24329.
- gh-99889: Fixed a security in flaw in uu.decode() that could
allow for directory traversal based on the input if no
out_file was specified.
- gh-104049: Do not expose the local on-disk
location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
- gh-103935: trace.__main__ now uses io.open_code() for files
to be executed instead of raw open().
- gh-102953: The extraction methods in tarfile, and
shutil.unpack_archive(), have a new filter argument that
allows limiting tar features than may be surprising or
dangerous, such as creating files outside the destination
directory. See Extraction filters for details.
- Remove upstreamed patches:
- CVE-2007-4559-filter-tarfile_extractall.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python310?expand=0&rev=95
56 lines
2.4 KiB
Diff
56 lines
2.4 KiB
Diff
From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001
|
|
From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
|
|
Date: Sat, 12 Nov 2022 15:43:33 -0500
|
|
Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting
|
|
schemes that don't begin with an alphabetical ASCII character.
|
|
|
|
---
|
|
Lib/test/test_urlparse.py | 18 ++++++++++
|
|
Lib/urllib/parse.py | 2 -
|
|
Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 +
|
|
3 files changed, 21 insertions(+), 1 deletion(-)
|
|
|
|
--- a/Lib/test/test_urlparse.py
|
|
+++ b/Lib/test/test_urlparse.py
|
|
@@ -727,6 +727,24 @@ class UrlParseTestCase(unittest.TestCase
|
|
with self.assertRaises(ValueError):
|
|
p.port
|
|
|
|
+ def test_attributes_bad_scheme(self):
|
|
+ """Check handling of invalid schemes."""
|
|
+ for bytes in (False, True):
|
|
+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
|
|
+ for scheme in (".", "+", "-", "0", "http&", "६http"):
|
|
+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
|
|
+ url = scheme + "://www.example.net"
|
|
+ if bytes:
|
|
+ if url.isascii():
|
|
+ url = url.encode("ascii")
|
|
+ else:
|
|
+ continue
|
|
+ p = parse(url)
|
|
+ if bytes:
|
|
+ self.assertEqual(p.scheme, b"")
|
|
+ else:
|
|
+ self.assertEqual(p.scheme, "")
|
|
+
|
|
def test_attributes_without_netloc(self):
|
|
# This example is straight from RFC 3261. It looks like it
|
|
# should allow the username, hostname, and port to be filled
|
|
--- a/Lib/urllib/parse.py
|
|
+++ b/Lib/urllib/parse.py
|
|
@@ -481,7 +481,7 @@ def urlsplit(url, scheme='', allow_fragm
|
|
clear_cache()
|
|
netloc = query = fragment = ''
|
|
i = url.find(':')
|
|
- if i > 0:
|
|
+ if i > 0 and url[0].isascii() and url[0].isalpha():
|
|
for c in url[:i]:
|
|
if c not in scheme_chars:
|
|
break
|
|
--- /dev/null
|
|
+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
|
|
@@ -0,0 +1,2 @@
|
|
+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
|
|
+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
|