45 lines
1.5 KiB
Diff
45 lines
1.5 KiB
Diff
From 1bad5b2ebc2f3cb663ce425b9979b4ec4dce27b2 Mon Sep 17 00:00:00 2001
|
|
From: shixuantong <shixuantong1@huawei.com>
|
|
Date: Thu, 6 Apr 2023 03:30:44 +0000
|
|
Subject: [PATCH] fix CVE-2023-24329
|
|
|
|
---
|
|
Lib/test/test_urlparse.py | 7 +++++++
|
|
Lib/urllib/parse.py | 2 +-
|
|
2 files changed, 8 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
|
|
index f42ed9b..b310017 100644
|
|
--- a/Lib/test/test_urlparse.py
|
|
+++ b/Lib/test/test_urlparse.py
|
|
@@ -683,6 +683,13 @@ class UrlParseTestCase(unittest.TestCase):
|
|
else:
|
|
self.assertEqual(p.scheme, "")
|
|
|
|
+ def test_attributes_bad_scheme_CVE_2023_24329(self):
|
|
+ """Check handling of invalid schemes that starts with blank characters."""
|
|
+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
|
|
+ url = " https://www.example.net"
|
|
+ p = parse(url)
|
|
+ self.assertEqual(p.scheme, "https")
|
|
+
|
|
def test_attributes_without_netloc(self):
|
|
# This example is straight from RFC 3261. It looks like it
|
|
# should allow the username, hostname, and port to be filled
|
|
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
|
|
index bd59852..7eb3ad8 100644
|
|
--- a/Lib/urllib/parse.py
|
|
+++ b/Lib/urllib/parse.py
|
|
@@ -454,7 +454,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
|
|
|
|
Note that % escapes are not expanded.
|
|
"""
|
|
-
|
|
+ url = url.lstrip()
|
|
url, scheme, _coerce_result = _coerce_args(url, scheme)
|
|
|
|
for b in _UNSAFE_URL_BYTES_TO_REMOVE:
|
|
--
|
|
2.33.0
|
|
|