fix CVE-2023-24329
This commit is contained in:
sxt1001
parent
4f47d0f7cc
commit
e6194c931a
@ -0,0 +1,73 @@
|
|||||||
|
From 439b9cfaf43080e91c4ad69f312f21fa098befc7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ben Kallus <49924171+kenballus@users.noreply.github.com>
|
||||||
|
Date: Sun, 13 Nov 2022 18:25:55 +0000
|
||||||
|
Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
|
||||||
|
must begin with an alphabetical ASCII character. (#99421)
|
||||||
|
|
||||||
|
Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
|
||||||
|
|
||||||
|
RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
|
||||||
|
RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
|
||||||
|
|
||||||
|
The WHATWG URL spec defines a scheme like this:
|
||||||
|
`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
|
||||||
|
---
|
||||||
|
Lib/test/test_urlparse.py | 18 ++++++++++++++++++
|
||||||
|
Lib/urllib/parse.py | 2 +-
|
||||||
|
...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 ++
|
||||||
|
3 files changed, 21 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
|
||||||
|
|
||||||
|
diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
|
||||||
|
index 31943f3..f42ed9b 100644
|
||||||
|
--- a/Lib/test/test_urlparse.py
|
||||||
|
+++ b/Lib/test/test_urlparse.py
|
||||||
|
@@ -665,6 +665,24 @@ class UrlParseTestCase(unittest.TestCase):
|
||||||
|
with self.assertRaises(ValueError):
|
||||||
|
p.port
|
||||||
|
|
||||||
|
+ def test_attributes_bad_scheme(self):
|
||||||
|
+ """Check handling of invalid schemes."""
|
||||||
|
+ for bytes in (False, True):
|
||||||
|
+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
|
||||||
|
+ for scheme in (".", "+", "-", "0", "http&", "६http"):
|
||||||
|
+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
|
||||||
|
+ url = scheme + "://www.example.net"
|
||||||
|
+ if bytes:
|
||||||
|
+ if url.isascii():
|
||||||
|
+ url = url.encode("ascii")
|
||||||
|
+ else:
|
||||||
|
+ continue
|
||||||
|
+ p = parse(url)
|
||||||
|
+ if bytes:
|
||||||
|
+ self.assertEqual(p.scheme, b"")
|
||||||
|
+ else:
|
||||||
|
+ self.assertEqual(p.scheme, "")
|
||||||
|
+
|
||||||
|
def test_attributes_without_netloc(self):
|
||||||
|
# This example is straight from RFC 3261. It looks like it
|
||||||
|
# should allow the username, hostname, and port to be filled
|
||||||
|
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
|
||||||
|
index b7965fe..bd59852 100644
|
||||||
|
--- a/Lib/urllib/parse.py
|
||||||
|
+++ b/Lib/urllib/parse.py
|
||||||
|
@@ -470,7 +470,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
|
||||||
|
clear_cache()
|
||||||
|
netloc = query = fragment = ''
|
||||||
|
i = url.find(':')
|
||||||
|
- if i > 0:
|
||||||
|
+ if i > 0 and url[0].isascii() and url[0].isalpha():
|
||||||
|
for c in url[:i]:
|
||||||
|
if c not in scheme_chars:
|
||||||
|
break
|
||||||
|
diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..0a06e7c
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
|
||||||
|
+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
|
|
||||||
44
fix-CVE-2023-24329.patch
Normal file
44
fix-CVE-2023-24329.patch
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
From 1bad5b2ebc2f3cb663ce425b9979b4ec4dce27b2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: shixuantong <shixuantong1@huawei.com>
|
||||||
|
Date: Thu, 6 Apr 2023 03:30:44 +0000
|
||||||
|
Subject: [PATCH] fix CVE-2023-24329
|
||||||
|
|
||||||
|
---
|
||||||
|
Lib/test/test_urlparse.py | 7 +++++++
|
||||||
|
Lib/urllib/parse.py | 2 +-
|
||||||
|
2 files changed, 8 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
|
||||||
|
index f42ed9b..b310017 100644
|
||||||
|
--- a/Lib/test/test_urlparse.py
|
||||||
|
+++ b/Lib/test/test_urlparse.py
|
||||||
|
@@ -683,6 +683,13 @@ class UrlParseTestCase(unittest.TestCase):
|
||||||
|
else:
|
||||||
|
self.assertEqual(p.scheme, "")
|
||||||
|
|
||||||
|
+ def test_attributes_bad_scheme_CVE_2023_24329(self):
|
||||||
|
+ """Check handling of invalid schemes that starts with blank characters."""
|
||||||
|
+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
|
||||||
|
+ url = " https://www.example.net"
|
||||||
|
+ p = parse(url)
|
||||||
|
+ self.assertEqual(p.scheme, "https")
|
||||||
|
+
|
||||||
|
def test_attributes_without_netloc(self):
|
||||||
|
# This example is straight from RFC 3261. It looks like it
|
||||||
|
# should allow the username, hostname, and port to be filled
|
||||||
|
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
|
||||||
|
index bd59852..7eb3ad8 100644
|
||||||
|
--- a/Lib/urllib/parse.py
|
||||||
|
+++ b/Lib/urllib/parse.py
|
||||||
|
@@ -454,7 +454,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
|
||||||
|
|
||||||
|
Note that % escapes are not expanded.
|
||||||
|
"""
|
||||||
|
-
|
||||||
|
+ url = url.lstrip()
|
||||||
|
url, scheme, _coerce_result = _coerce_args(url, scheme)
|
||||||
|
|
||||||
|
for b in _UNSAFE_URL_BYTES_TO_REMOVE:
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
|
|
||||||
12
python3.spec
12
python3.spec
@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
|
|||||||
URL: https://www.python.org/
|
URL: https://www.python.org/
|
||||||
|
|
||||||
Version: 3.10.9
|
Version: 3.10.9
|
||||||
Release: 2
|
Release: 3
|
||||||
License: Python-2.0
|
License: Python-2.0
|
||||||
|
|
||||||
%global branchversion 3.10
|
%global branchversion 3.10
|
||||||
@ -87,8 +87,10 @@ Source1: pyconfig.h
|
|||||||
|
|
||||||
Patch1: 00001-rpath.patch
|
Patch1: 00001-rpath.patch
|
||||||
Patch251: 00251-change-user-install-location.patch
|
Patch251: 00251-change-user-install-location.patch
|
||||||
|
Patch6000: backport-Make-urllib.parse.urlparse-enforce-that-a-scheme-mus.patch
|
||||||
|
|
||||||
Patch9000: add-the-sm3-method-for-obtaining-the-salt-value.patch
|
Patch9000: add-the-sm3-method-for-obtaining-the-salt-value.patch
|
||||||
|
Patch9001: fix-CVE-2023-24329.patch
|
||||||
|
|
||||||
Provides: python%{branchversion} = %{version}-%{release}
|
Provides: python%{branchversion} = %{version}-%{release}
|
||||||
Provides: python(abi) = %{branchversion}
|
Provides: python(abi) = %{branchversion}
|
||||||
@ -182,8 +184,10 @@ rm configure pyconfig.h.in
|
|||||||
|
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch251 -p1
|
%patch251 -p1
|
||||||
|
%patch6000 -p1
|
||||||
|
|
||||||
%patch9000 -p1
|
%patch9000 -p1
|
||||||
|
%patch9001 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoconf
|
autoconf
|
||||||
@ -800,6 +804,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
|
|||||||
%{_mandir}/*/*
|
%{_mandir}/*/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Apr 06 2023 shixuantong <shixuantong1@huawei.com> - 3.10.9-3
|
||||||
|
- Type:CVE
|
||||||
|
- CVE:CVE-2023-24329
|
||||||
|
- SUG:NA
|
||||||
|
- DESC:fix CVE-2023-24329
|
||||||
|
|
||||||
* Mon Mar 13 2023 Chenxi Mao <chenxi.mao@suse.com> - 3.10.9-2
|
* Mon Mar 13 2023 Chenxi Mao <chenxi.mao@suse.com> - 3.10.9-2
|
||||||
- Type:enhancement
|
- Type:enhancement
|
||||||
- CVE:NA
|
- CVE:NA
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user