rpm/python38
SHA256
1
0
Fork 0
forked from pool/python38
Code Pull Requests Activity

- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,

Browse Source 
bsc#1208471) blocklists bypass via the urllib.parse component
  when supplying a URL that starts with blank characters

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=123
This commit is contained in:
Matej Cepl 2023-03-01 21:37:15 +00:00 committed by Git OBS Bridge
parent 93dd73b453
commit 193496d5b0
3 changed files with 67 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
CVE-2023-24329-blank-URL-bypass.patch Normal file
View File

@ -0,0 +1,55 @@
From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001
From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
Date: Sat, 12 Nov 2022 15:43:33 -0500
Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting
schemes that don't begin with an alphabetical ASCII character.
---
Lib/test/test_urlparse.py | 18 ++++++++++
Lib/urllib/parse.py | 2 -
Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 +
3 files changed, 21 insertions(+), 1 deletion(-)
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -676,6 +676,24 @@ class UrlParseTestCase(unittest.TestCase
with self.assertRaises(ValueError):
p.port
+ def test_attributes_bad_scheme(self):
+ """Check handling of invalid schemes."""
+ for bytes in (False, True):
+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
+ for scheme in (".", "+", "-", "0", "http&", "६http"):
+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
+ url = scheme + "://www.example.net"
+ if bytes:
+ if url.isascii():
+ url = url.encode("ascii")
+ else:
+ continue
+ p = parse(url)
+ if bytes:
+ self.assertEqual(p.scheme, b"")
+ else:
+ self.assertEqual(p.scheme, "")
+
def test_attributes_without_netloc(self):
# This example is straight from RFC 3261. It looks like it
# should allow the username, hostname, and port to be filled
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -440,7 +440,7 @@ def urlsplit(url, scheme='', allow_fragm
clear_cache()
netloc = query = fragment = ''
i = url.find(':')
- if i > 0:
+ if i > 0 and url[0].isascii() and url[0].isalpha():
if url[:i] == 'http': # optimize the common case
url = url[i+1:]
if url[:2] == '//':
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
@@ -0,0 +1,2 @@
+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
+with a digit, a plus sign, or a minus sign to be parsed incorrectly.

7
python38.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Mar 1 14:43:31 UTC 2023 - Matej Cepl <mcepl@suse.com>
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
bsc#1208471) blocklists bypass via the urllib.parse component
when supplying a URL that starts with blank characters
-------------------------------------------------------------------
Tue Feb 21 11:34:49 UTC 2023 - Matej Cepl <mcepl@suse.com>

5
python38.spec
View File

@ -176,6 +176,10 @@ Patch37: platlibdir-in-sys.patch
# PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com
# this patch makes things totally awesome
Patch38: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com
# blocklist bypass via the urllib.parse component when supplying
# a URL that starts with blank characters
Patch39: CVE-2023-24329-blank-URL-bypass.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@ -448,6 +452,7 @@ other applications.
%patch36 -p1
%patch37 -p1
%patch38 -p1
%patch39 -p1
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac