File urllib3-disallow-control-chars-in-http-urls.patch of Package python-urllib3

Overview Repositories Revisions Requests Users Attributes Meta

File urllib3-disallow-control-chars-in-http-urls.patch of Package python-urllib3

Stripped down Backport of:
https://github.com/urllib3/urllib3/pull/1591
(basically just this commit: https://github.com/urllib3/urllib3/pull/1591/commits/c147f359520cab339ec96b3ef96e471c0da261f6)
and
https://github.com/urllib3/urllib3/pull/1593

Index: urllib3-1.16/urllib3/util/url.py
===================================================================
--- urllib3-1.16.orig/urllib3/util/url.py
+++ urllib3-1.16/urllib3/util/url.py
@@ -1,11 +1,15 @@
 from __future__ import absolute_import
 from collections import namedtuple
+import re
 
 from ..exceptions import LocationParseError
+from six.moves.urllib.parse import quote
 
 
 url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
 
+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
+
 
 class Url(namedtuple('Url', url_attrs)):
     """
@@ -146,6 +150,10 @@ def parse_url(url):
         # Empty
         return Url()
 
+    # Prevent CVE-2019-9740.
+    # adapted from https://github.com/python/cpython/pull/12755
+    url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url)
+
     scheme = None
     auth = None
     host = None

Places

File urllib3-disallow-control-chars-in-http-urls.patch of Package python-urllib3

Places