File CVE-2023-24329-blank-URL-bypass.patch of Package python-base
85
1
---
2
Lib/test/test_urlparse.py | 21 ++++++++++
3
Lib/urlparse.py | 9 +++-
4
Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs | 2
5
3 files changed, 30 insertions(+), 2 deletions(-)
6
7
Index: Python-2.7.18/Lib/test/test_urlparse.py
8
===================================================================
9
--- Python-2.7.18.orig/Lib/test/test_urlparse.py
10
+++ Python-2.7.18/Lib/test/test_urlparse.py
11
12
from test import test_support
13
+from urlparse import isascii
14
import sys
15
import unicodedata
16
import unittest
17
18
self.assertEqual(p.netloc, "www.example.net:foo")
19
self.assertRaises(ValueError, lambda: p.port)
20
21
+ def do_attributes_bad_scheme(self, bytes, parse, scheme):
22
+ url = scheme + "://www.example.net"
23
+ if bytes:
24
+ if isascii(url):
25
+ url = url.encode("ascii")
26
+ else:
27
+ return
28
+ p = parse(url)
29
+ if bytes:
30
+ self.assertEqual(p.scheme, b"")
31
+ else:
32
+ self.assertEqual(p.scheme, "")
33
+
34
+ def test_attributes_bad_scheme(self):
35
+ """Check handling of invalid schemes."""
36
+ for bytes in (False, True):
37
+ for parse in (urlparse.urlsplit, urlparse.urlparse):
38
+ for scheme in (".", "+", "-", "0", "http&"):
39
+ self.do_attributes_bad_scheme(bytes, parse, scheme)
40
+
41
def test_attributes_without_netloc(self):
42
# This example is straight from RFC 3261. It looks like it
43
# should allow the username, hostname, and port to be filled
44
Index: Python-2.7.18/Lib/urlparse.py
45
===================================================================
46
--- Python-2.7.18.orig/Lib/urlparse.py
47
+++ Python-2.7.18/Lib/urlparse.py
48
49
import re
50
51
__all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag",
52
- "urlsplit", "urlunsplit", "parse_qs", "parse_qsl"]
53
+ "urlsplit", "urlunsplit", "parse_qs", "parse_qsl",
54
+ "isascii"]
55
56
# A classification of schemes ('' means apply by default)
57
uses_relative = ['ftp', 'http', 'gopher', 'nntp', 'imap',
58
59
MAX_CACHE_SIZE = 20
60
_parse_cache = {}
61
62
+# Py3k shim
63
+def isascii(word):
64
+ return all([ord(c) < 128 for c in word])
65
+
66
def clear_cache():
67
"""Clear the parse cache."""
68
_parse_cache.clear()
69
70
clear_cache()
71
netloc = query = fragment = ''
72
i = url.find(':')
73
- if i > 0:
74
+ if i > 0 and isascii(url[0]) and url[0].isalpha():
75
if url[:i] == 'http': # optimize the common case
76
scheme = url[:i].lower()
77
url = url[i+1:]
78
Index: Python-2.7.18/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs
79
===================================================================
80
--- /dev/null
81
+++ Python-2.7.18/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs
82
83
+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
84
+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
85