File CVE-2023-24329-blank-URL-bypass.patch of Package python3.36158
From 378a07b49ffbdc91d3e27552af683740c40056c9 Mon Sep 17 00:00:00 2001
From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
Date: Sat, 12 Nov 2022 15:43:33 -0500
Subject: [PATCH] [CVE-2023-24329] blocklist bypass via the urllib.parse
component
Blocklist bypass via the urllib.parse component when supplying a
URL starting with non-alphabetic characters.
Code is from gh#python/cpython!99421, it was released in 3.11.1.
Fixes: bsc#1208471
Fixes: gh#99418
Patch: CVE-2023-24329-blank-URL-bypass.patch
---
Lib/test/test_urlparse.py | 18 ++++++++++++++++++
Lib/urllib/parse.py | 7 ++++++-
...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 ++
3 files changed, 26 insertions(+), 1 deletion(-)
create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
index 3509278a016..f010522e5f8 100644
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -676,6 +676,24 @@ class UrlParseTestCase(unittest.TestCase):
with self.assertRaises(ValueError):
p.port
+ def test_attributes_bad_scheme(self):
+ """Check handling of invalid schemes."""
+ for bytes in (False, True):
+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
+ for scheme in (".", "+", "-", "0", "http&", "६http"):
+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
+ url = scheme + "://www.example.net"
+ if bytes:
+ if urllib.parse.isascii(url):
+ url = url.encode("ascii")
+ else:
+ continue
+ p = parse(url)
+ if bytes:
+ self.assertEqual(p.scheme, b"")
+ else:
+ self.assertEqual(p.scheme, "")
+
def test_attributes_without_netloc(self):
# This example is straight from RFC 3261. It looks like it
# should allow the username, hostname, and port to be filled
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
index ac6e7a9cee0..101a7b87989 100644
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -35,6 +35,7 @@ __all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag",
"urlsplit", "urlunsplit", "urlencode", "parse_qs",
"parse_qsl", "quote", "quote_plus", "quote_from_bytes",
"unquote", "unquote_plus", "unquote_to_bytes",
+ "isascii",
"DefragResult", "ParseResult", "SplitResult",
"DefragResultBytes", "ParseResultBytes", "SplitResultBytes"]
@@ -79,6 +80,10 @@ scheme_chars = ('abcdefghijklmnopqrstuvwxyz'
# Unsafe bytes to be removed per WHATWG spec
_UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n']
+# Python >= 3.7 shim
+def isascii(word):
+ return all([ord(c) < 128 for c in word])
+
# XXX: Consider replacing with functools.lru_cache
MAX_CACHE_SIZE = 20
_parse_cache = {}
@@ -435,7 +440,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
clear_cache()
netloc = query = fragment = ''
i = url.find(':')
- if i > 0:
+ if i > 0 and isascii(url[0]) and url[0].isalpha():
if url[:i] == 'http': # optimize the common case
scheme = url[:i].lower()
url = url[i+1:]
diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
new file mode 100644
index 00000000000..0a06e7c5c6a
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
@@ -0,0 +1,2 @@
+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
--
2.45.0
