mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-20 08:29:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

python3: fix CVE-2023-24329 urllib.parse url blocklisting bypass

Browse Source 
(From OE-Core rev: 307f23e066e06793ec60f0cddf8ff1c64c02d834)

Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Vivek Kumbhar
2023-07-13 11:44:25 +05:30
committed by Steve Sakoman
parent 218ca73cab
commit 1adc1600f2
2 changed files with 81 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
meta/recipes-devtools/python/python3/CVE-2023-24329.patch Normal file
View File

@@ -0,0 +1,80 @@
From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Sun, 13 Nov 2022 11:00:25 -0800
Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
must begin with an alphabetical ASCII character. (GH-99421)
Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
The WHATWG URL spec defines a scheme like this:
`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7)
Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>
Upstream-Status: Backport [https://github.com/python/cpython/commit/72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9]
CVE: CVE-2023-24329
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
---
Lib/test/test_urlparse.py | 18 ++++++++++++++++++
Lib/urllib/parse.py | 2 +-
...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 ++
3 files changed, 21 insertions(+), 1 deletion(-)
create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
index 0ad3bf1..e1aa913 100644
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -735,6 +735,24 @@ class UrlParseTestCase(unittest.TestCase):
with self.assertRaises(ValueError):
p.port
+ def test_attributes_bad_scheme(self):
+ """Check handling of invalid schemes."""
+ for bytes in (False, True):
+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
+ for scheme in (".", "+", "-", "0", "http&", "६http"):
+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
+ url = scheme + "://www.example.net"
+ if bytes:
+ if url.isascii():
+ url = url.encode("ascii")
+ else:
+ continue
+ p = parse(url)
+ if bytes:
+ self.assertEqual(p.scheme, b"")
+ else:
+ self.assertEqual(p.scheme, "")
+
def test_attributes_without_netloc(self):
# This example is straight from RFC 3261. It looks like it
# should allow the username, hostname, and port to be filled
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
index 979e6d2..2e7a3e2 100644
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -452,7 +452,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
clear_cache()
netloc = query = fragment = ''
i = url.find(':')
- if i > 0:
+ if i > 0 and url[0].isascii() and url[0].isalpha():
if url[:i] == 'http': # optimize the common case
url = url[i+1:]
if url[:2] == '//':
diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
new file mode 100644
index 0000000..0a06e7c
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
@@ -0,0 +1,2 @@
+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
--
2.25.1