summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch81
-rw-r--r--meta/recipes-devtools/python/python_2.7.16.bb1
2 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch b/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
new file mode 100644
index 0000000000..1b6cb8cf3e
--- /dev/null
+++ b/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
@@ -0,0 +1,81 @@
1From 5a1033fe5be764a135adcfff2fdc14edc3e5f327 Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Thu, 10 Oct 2019 16:32:19 +0800
4Subject: [PATCH] bpo-36742: Fixes handling of pre-normalization characters in
5 urlsplit() bpo-36742: Corrects fix to handle decomposition in usernames
6
7Upstream-Status: Backport
8
9https://github.com/python/cpython/commit/98a4dcefbbc3bce5ab07e7c0830a183157250259
10https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de#diff-b577545d73dd0cdb2c337a4c5f89e1d7
11
12CVE: CVE-2019-10160
13
14Signed-off-by: Changqing Li <changqing.li@windriver.com>
15---
16 Lib/test/test_urlparse.py | 19 +++++++++++++------
17 Lib/urlparse.py | 14 +++++++++-----
18 2 files changed, 22 insertions(+), 11 deletions(-)
19
20diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
21index 1830d0b..857ed96 100644
22--- a/Lib/test/test_urlparse.py
23+++ b/Lib/test/test_urlparse.py
24@@ -641,13 +641,20 @@ class UrlParseTestCase(unittest.TestCase):
25 self.assertIn(u'\u2100', denorm_chars)
26 self.assertIn(u'\uFF03', denorm_chars)
27
28+ # bpo-36742: Verify port separators are ignored when they
29+ # existed prior to decomposition
30+ urlparse.urlsplit(u'http://\u30d5\u309a:80')
31+ with self.assertRaises(ValueError):
32+ urlparse.urlsplit(u'http://\u30d5\u309a\ufe1380')
33+
34 for scheme in [u"http", u"https", u"ftp"]:
35- for c in denorm_chars:
36- url = u"{}://netloc{}false.netloc/path".format(scheme, c)
37- if test_support.verbose:
38- print "Checking %r" % url
39- with self.assertRaises(ValueError):
40- urlparse.urlsplit(url)
41+ for netloc in [u"netloc{}false.netloc", u"n{}user@netloc"]:
42+ for c in denorm_chars:
43+ url = u"{}://{}/path".format(scheme, netloc.format(c))
44+ if test_support.verbose:
45+ print "Checking %r" % url
46+ with self.assertRaises(ValueError):
47+ urlparse.urlsplit(url)
48
49 def test_main():
50 test_support.run_unittest(UrlParseTestCase)
51diff --git a/Lib/urlparse.py b/Lib/urlparse.py
52index 54eda08..e34b368 100644
53--- a/Lib/urlparse.py
54+++ b/Lib/urlparse.py
55@@ -171,14 +171,18 @@ def _checknetloc(netloc):
56 # looking for characters like \u2100 that expand to 'a/c'
57 # IDNA uses NFKC equivalence, so normalize for this check
58 import unicodedata
59- netloc2 = unicodedata.normalize('NFKC', netloc)
60- if netloc == netloc2:
61+ n = netloc.replace(u'@', u'') # ignore characters already included
62+ n = n.replace(u':', u'') # but not the surrounding text
63+ n = n.replace(u'#', u'')
64+ n = n.replace(u'?', u'')
65+
66+ netloc2 = unicodedata.normalize('NFKC', n)
67+ if n == netloc2:
68 return
69- _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
70 for c in '/?#@:':
71 if c in netloc2:
72- raise ValueError("netloc '" + netloc2 + "' contains invalid " +
73- "characters under NFKC normalization")
74+ raise ValueError(u"netloc '" + netloc + u"' contains invalid " +
75+ u"characters under NFKC normalization")
76
77 def urlsplit(url, scheme='', allow_fragments=True):
78 """Parse a URL into 5 components:
79--
802.7.4
81
diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.16.bb
index aec877825e..ebb4824cc1 100644
--- a/meta/recipes-devtools/python/python_2.7.16.bb
+++ b/meta/recipes-devtools/python/python_2.7.16.bb
@@ -31,6 +31,7 @@ SRC_URI += " \
31 file://float-endian.patch \ 31 file://float-endian.patch \
32 file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \ 32 file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \
33 file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \ 33 file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \
34 file://bpo-36742-cve-2019-10160.patch \
34" 35"
35 36
36S = "${WORKDIR}/Python-${PV}" 37S = "${WORKDIR}/Python-${PV}"