File CVE-2019-10160-netloc-port-regression.patch of Package python3-base
From 8d0ef0b5edeae52960c7ed05ae8a12388324f87e Mon Sep 17 00:00:00 2001
From: Steve Dower <steve.dower@python.org>
Date: Tue, 4 Jun 2019 08:55:30 -0700
Subject: [PATCH] bpo-36742: Corrects fix to handle decomposition in usernames
(#13812)
---
Lib/test/test_urlparse.py | 11 ++++++-----
Lib/urllib/parse.py | 14 +++++++++-----
2 files changed, 15 insertions(+), 10 deletions(-)
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -886,11 +886,12 @@ class UrlParseTestCase(unittest.TestCase
self.assertIn('\uFF03', denorm_chars)
for scheme in ["http", "https", "ftp"]:
- for c in denorm_chars:
- url = "{}://netloc{}false.netloc/path".format(scheme, c)
- with self.subTest(url=url, char='{:04X}'.format(ord(c))):
- with self.assertRaises(ValueError):
- urllib.parse.urlsplit(url)
+ for netloc in ["netloc{}false.netloc", "n{}user@netloc"]:
+ for c in denorm_chars:
+ url = "{}://{}/path".format(scheme, netloc.format(c))
+ with self.subTest(url=url, char='{:04X}'.format(ord(c))):
+ with self.assertRaises(ValueError):
+ urllib.parse.urlsplit(url)
class Utility_Tests(unittest.TestCase):
"""Testcase to test the various utility functions in the urllib."""
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -74,6 +74,7 @@ def clear_cache():
_parse_cache.clear()
_safe_quoters.clear()
+isascii = lambda s: len(s) == len(s.encode())
# Helpers for bytes handling
# For 3.2, we deliberately require applications that
@@ -317,18 +318,21 @@ def _splitnetloc(url, start=0):
return url[start:delim], url[delim:] # return (domain, rest)
def _checknetloc(netloc):
- if not netloc or not any(ord(c) > 127 for c in netloc):
+ if not netloc or isascii(netloc):
return
# looking for characters like \u2100 that expand to 'a/c'
# IDNA uses NFKC equivalence, so normalize for this check
import unicodedata
- netloc2 = unicodedata.normalize('NFKC', netloc)
- if netloc == netloc2:
+ n = netloc.replace('@', '') # ignore characters already included
+ n = n.replace(':', '') # but not the surrounding text
+ n = n.replace('#', '')
+ n = n.replace('?', '')
+ netloc2 = unicodedata.normalize('NFKC', n)
+ if n == netloc2:
return
- _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
for c in '/?#@:':
if c in netloc2:
- raise ValueError("netloc '" + netloc2 + "' contains invalid " +
+ raise ValueError("netloc '" + netloc + "' contains invalid " +
"characters under NFKC normalization")
def urlsplit(url, scheme='', allow_fragments=True):