packages/python3
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-24329

Browse Source
This commit is contained in:
sxt1001 2023-04-06 14:19:22 +08:00
parent 4f47d0f7cc
commit e6194c931a
3 changed files with 128 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
backport-Make-urllib.parse.urlparse-enforce-that-a-scheme-mus.patch Normal file
View File

@ -0,0 +1,73 @@
From 439b9cfaf43080e91c4ad69f312f21fa098befc7 Mon Sep 17 00:00:00 2001
From: Ben Kallus <49924171+kenballus@users.noreply.github.com>
Date: Sun, 13 Nov 2022 18:25:55 +0000
Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
must begin with an alphabetical ASCII character. (#99421)
Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
The WHATWG URL spec defines a scheme like this:
`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
---
Lib/test/test_urlparse.py | 18 ++++++++++++++++++
Lib/urllib/parse.py | 2 +-
...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 ++
3 files changed, 21 insertions(+), 1 deletion(-)
create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
index 31943f3..f42ed9b 100644
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -665,6 +665,24 @@ class UrlParseTestCase(unittest.TestCase):
with self.assertRaises(ValueError):
p.port
+ def test_attributes_bad_scheme(self):
+ """Check handling of invalid schemes."""
+ for bytes in (False, True):
+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
+ for scheme in (".", "+", "-", "0", "http&", "६http"):
+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
+ url = scheme + "://www.example.net"
+ if bytes:
+ if url.isascii():
+ url = url.encode("ascii")
+ else:
+ continue
+ p = parse(url)
+ if bytes:
+ self.assertEqual(p.scheme, b"")
+ else:
+ self.assertEqual(p.scheme, "")
+
def test_attributes_without_netloc(self):
# This example is straight from RFC 3261. It looks like it
# should allow the username, hostname, and port to be filled
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
index b7965fe..bd59852 100644
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -470,7 +470,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
clear_cache()
netloc = query = fragment = ''
i = url.find(':')
- if i > 0:
+ if i > 0 and url[0].isascii() and url[0].isalpha():
for c in url[:i]:
if c not in scheme_chars:
break
diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
new file mode 100644
index 0000000..0a06e7c
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
@@ -0,0 +1,2 @@
+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
--
2.33.0

44
fix-CVE-2023-24329.patch Normal file
View File

@ -0,0 +1,44 @@
From 1bad5b2ebc2f3cb663ce425b9979b4ec4dce27b2 Mon Sep 17 00:00:00 2001
From: shixuantong <shixuantong1@huawei.com>
Date: Thu, 6 Apr 2023 03:30:44 +0000
Subject: [PATCH] fix CVE-2023-24329
---
Lib/test/test_urlparse.py | 7 +++++++
Lib/urllib/parse.py | 2 +-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
index f42ed9b..b310017 100644
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -683,6 +683,13 @@ class UrlParseTestCase(unittest.TestCase):
else:
self.assertEqual(p.scheme, "")
+ def test_attributes_bad_scheme_CVE_2023_24329(self):
+ """Check handling of invalid schemes that starts with blank characters."""
+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
+ url = " https://www.example.net"
+ p = parse(url)
+ self.assertEqual(p.scheme, "https")
+
def test_attributes_without_netloc(self):
# This example is straight from RFC 3261. It looks like it
# should allow the username, hostname, and port to be filled
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
index bd59852..7eb3ad8 100644
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -454,7 +454,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
Note that % escapes are not expanded.
"""
-
+ url = url.lstrip()
url, scheme, _coerce_result = _coerce_args(url, scheme)
for b in _UNSAFE_URL_BYTES_TO_REMOVE:
--
2.33.0

12
python3.spec
View File

@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
URL: https://www.python.org/
Version: 3.10.9
Release: 2
Release: 3
License: Python-2.0
%global branchversion 3.10
@ -87,8 +87,10 @@ Source1: pyconfig.h
Patch1: 00001-rpath.patch
Patch251: 00251-change-user-install-location.patch
Patch6000: backport-Make-urllib.parse.urlparse-enforce-that-a-scheme-mus.patch
Patch9000: add-the-sm3-method-for-obtaining-the-salt-value.patch
Patch9001: fix-CVE-2023-24329.patch
Provides: python%{branchversion} = %{version}-%{release}
Provides: python(abi) = %{branchversion}
@ -182,8 +184,10 @@ rm configure pyconfig.h.in
%patch1 -p1
%patch251 -p1
%patch6000 -p1
%patch9000 -p1
%patch9001 -p1
%build
autoconf
@ -800,6 +804,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
%{_mandir}/*/*
%changelog
* Thu Apr 06 2023 shixuantong <shixuantong1@huawei.com> - 3.10.9-3
- Type:CVE
- CVE:CVE-2023-24329
- SUG:NA
- DESC:fix CVE-2023-24329
* Mon Mar 13 2023 Chenxi Mao <chenxi.mao@suse.com> - 3.10.9-2
- Type:enhancement
- CVE:NA