File CVE-2019-10160-netloc-port-regression.patch of Package python-doc.12557
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -642,12 +642,12 @@ class UrlParseTestCase(unittest.TestCase
self.assertIn(u'\uFF03', denorm_chars)
for scheme in [u"http", u"https", u"ftp"]:
- for c in denorm_chars:
- url = u"{}://netloc{}false.netloc/path".format(scheme, c)
- if test_support.verbose:
- print "Checking %r" % url
- with self.assertRaises(ValueError):
- urlparse.urlsplit(url)
+ for netloc in [u"netloc{0}false.netloc", u"n{0}user@netloc"]:
+ for c in denorm_chars:
+ url = u"{0}://{1}/path".format(scheme, netloc.format(c))
+ if test_support.verbose:
+ print("Checking %r" % url)
+ self.assertRaises(ValueError, urlparse.urlsplit, url)
def test_main():
test_support.run_unittest(UrlParseTestCase)
--- a/Lib/urlparse.py
+++ b/Lib/urlparse.py
@@ -171,13 +171,16 @@ def _checknetloc(netloc):
# looking for characters like \u2100 that expand to 'a/c'
# IDNA uses NFKC equivalence, so normalize for this check
import unicodedata
- netloc2 = unicodedata.normalize('NFKC', netloc)
- if netloc == netloc2:
+ n = netloc.replace('@', '') # ignore characters already included
+ n = n.replace(':', '') # but not the surrounding text
+ n = n.replace('#', '')
+ n = n.replace('?', '')
+ netloc2 = unicodedata.normalize('NFKC', n)
+ if n == netloc2:
return
- _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
for c in '/?#@:':
if c in netloc2:
- raise ValueError("netloc '" + netloc2 + "' contains invalid " +
+ raise ValueError("netloc '" + netloc + "' contains invalid " +
"characters under NFKC normalization")
def urlsplit(url, scheme='', allow_fragments=True):