48 lines
1.6 KiB
Diff
48 lines
1.6 KiB
Diff
|
From 4f7cc3a38802c2ec54b1168815792b49656f7fa0 Mon Sep 17 00:00:00 2001
|
||
|
|
From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= <mgorny@gentoo.org>
|
||
|
|
Date: Fri, 7 May 2021 10:49:27 +0200
|
||
|
|
Subject: [PATCH] Fix rejecting URLs with unsafe characters in
|
||
|
|
|
||
|
|
---
|
||
|
|
botocore/utils.py | 10 ++++++++++
|
||
|
|
1 file changed, 10 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/botocore/utils.py b/botocore/utils.py
|
||
|
|
index cf61e7a..57f6194 100644
|
||
|
|
--- a/botocore/utils.py
|
||
|
|
+++ b/botocore/utils.py
|
||
|
|
@@ -173,6 +173,10 @@ ZONE_ID_PAT = "(?:%25|%)(?:[" + UNRESERVED_PAT + "]|%[a-fA-F0-9]{2})+"
|
||
|
|
IPV6_ADDRZ_PAT = r"\[" + IPV6_PAT + r"(?:" + ZONE_ID_PAT + r")?\]"
|
||
|
|
IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$")
|
||
|
|
|
||
|
|
+# These are the characters that are stripped by post-bpo-43882 urlparse().
|
||
|
|
+UNSAFE_URL_CHARS = frozenset('\t\r\n')
|
||
|
|
+
|
||
|
|
+
|
||
|
|
def ensure_boolean(val):
|
||
|
|
"""Ensures a boolean value if a string or boolean is provided
|
||
|
|
|
||
|
|
@@ -977,6 +981,8 @@ class ArgumentGenerator(object):
|
||
|
|
|
||
|
|
|
||
|
|
def is_valid_ipv6_endpoint_url(endpoint_url):
|
||
|
|
+ if UNSAFE_URL_CHARS.intersection(endpoint_url):
|
||
|
|
+ return False
|
||
|
|
netloc = urlparse(endpoint_url).netloc
|
||
|
|
return IPV6_ADDRZ_RE.match(netloc) is not None
|
||
|
|
|
||
|
|
@@ -990,6 +996,10 @@ def is_valid_endpoint_url(endpoint_url):
|
||
|
|
:return: True if the endpoint url is valid. False otherwise.
|
||
|
|
|
||
|
|
"""
|
||
|
|
+ # post-bpo-43882 urlsplit() strips unsafe characters from URL, causing
|
||
|
|
+ # it to pass hostname validation below. Detect them early to fix that.
|
||
|
|
+ if UNSAFE_URL_CHARS.intersection(endpoint_url):
|
||
|
|
+ return False
|
||
|
|
parts = urlsplit(endpoint_url)
|
||
|
|
hostname = parts.hostname
|
||
|
|
if hostname is None:
|
||
|
|
--
|
||
|
|
2.27.0
|
||
|
|
|