diff options
Diffstat (limited to 'meta/recipes-devtools/python/python3/CVE-2019-9636.patch')
-rw-r--r-- | meta/recipes-devtools/python/python3/CVE-2019-9636.patch | 154 |
1 files changed, 154 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2019-9636.patch b/meta/recipes-devtools/python/python3/CVE-2019-9636.patch new file mode 100644 index 0000000000..ce8eb666cf --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2019-9636.patch | |||
@@ -0,0 +1,154 @@ | |||
1 | From b0305339567b64e07df87620e97e4cb99332aef6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Steve Dower <steve.dower@microsoft.com> | ||
3 | Date: Sun, 10 Mar 2019 21:59:24 -0700 | ||
4 | Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize | ||
5 | to separators (GH-12201) (#12223) | ||
6 | |||
7 | CVE: CVE-2019-9636 | ||
8 | Upstream-Status: Backport | ||
9 | [https://github.com/python/cpython/commit/c0d95113b070799679bcb9dc49d4960d82e8bb08] | ||
10 | |||
11 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
12 | --- | ||
13 | Doc/library/urllib.parse.rst | 18 +++++++++++++++ | ||
14 | Lib/test/test_urlparse.py | 23 +++++++++++++++++++ | ||
15 | Lib/urllib/parse.py | 17 ++++++++++++++ | ||
16 | .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | 3 +++ | ||
17 | 4 files changed, 61 insertions(+) | ||
18 | create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | ||
19 | |||
20 | diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst | ||
21 | index 6f722a8897..a4c6b6726e 100644 | ||
22 | --- a/Doc/library/urllib.parse.rst | ||
23 | +++ b/Doc/library/urllib.parse.rst | ||
24 | @@ -120,6 +120,11 @@ or on combining URL components into a URL string. | ||
25 | Unmatched square brackets in the :attr:`netloc` attribute will raise a | ||
26 | :exc:`ValueError`. | ||
27 | |||
28 | + Characters in the :attr:`netloc` attribute that decompose under NFKC | ||
29 | + normalization (as used by the IDNA encoding) into any of ``/``, ``?``, | ||
30 | + ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is | ||
31 | + decomposed before parsing, no error will be raised. | ||
32 | + | ||
33 | .. versionchanged:: 3.2 | ||
34 | Added IPv6 URL parsing capabilities. | ||
35 | |||
36 | @@ -128,6 +133,10 @@ or on combining URL components into a URL string. | ||
37 | false), in accordance with :rfc:`3986`. Previously, a whitelist of | ||
38 | schemes that support fragments existed. | ||
39 | |||
40 | + .. versionchanged:: 3.5.7 | ||
41 | + Characters that affect netloc parsing under NFKC normalization will | ||
42 | + now raise :exc:`ValueError`. | ||
43 | + | ||
44 | |||
45 | .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace') | ||
46 | |||
47 | @@ -236,6 +245,15 @@ or on combining URL components into a URL string. | ||
48 | Unmatched square brackets in the :attr:`netloc` attribute will raise a | ||
49 | :exc:`ValueError`. | ||
50 | |||
51 | + Characters in the :attr:`netloc` attribute that decompose under NFKC | ||
52 | + normalization (as used by the IDNA encoding) into any of ``/``, ``?``, | ||
53 | + ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is | ||
54 | + decomposed before parsing, no error will be raised. | ||
55 | + | ||
56 | + .. versionchanged:: 3.5.7 | ||
57 | + Characters that affect netloc parsing under NFKC normalization will | ||
58 | + now raise :exc:`ValueError`. | ||
59 | + | ||
60 | |||
61 | .. function:: urlunsplit(parts) | ||
62 | |||
63 | diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py | ||
64 | index e2cf1b7e0f..d0420b0e74 100644 | ||
65 | --- a/Lib/test/test_urlparse.py | ||
66 | +++ b/Lib/test/test_urlparse.py | ||
67 | @@ -1,3 +1,5 @@ | ||
68 | +import sys | ||
69 | +import unicodedata | ||
70 | import unittest | ||
71 | import urllib.parse | ||
72 | |||
73 | @@ -970,6 +972,27 @@ class UrlParseTestCase(unittest.TestCase): | ||
74 | expected.append(name) | ||
75 | self.assertCountEqual(urllib.parse.__all__, expected) | ||
76 | |||
77 | + def test_urlsplit_normalization(self): | ||
78 | + # Certain characters should never occur in the netloc, | ||
79 | + # including under normalization. | ||
80 | + # Ensure that ALL of them are detected and cause an error | ||
81 | + illegal_chars = '/:#?@' | ||
82 | + hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars} | ||
83 | + denorm_chars = [ | ||
84 | + c for c in map(chr, range(128, sys.maxunicode)) | ||
85 | + if (hex_chars & set(unicodedata.decomposition(c).split())) | ||
86 | + and c not in illegal_chars | ||
87 | + ] | ||
88 | + # Sanity check that we found at least one such character | ||
89 | + self.assertIn('\u2100', denorm_chars) | ||
90 | + self.assertIn('\uFF03', denorm_chars) | ||
91 | + | ||
92 | + for scheme in ["http", "https", "ftp"]: | ||
93 | + for c in denorm_chars: | ||
94 | + url = "{}://netloc{}false.netloc/path".format(scheme, c) | ||
95 | + with self.subTest(url=url, char='{:04X}'.format(ord(c))): | ||
96 | + with self.assertRaises(ValueError): | ||
97 | + urllib.parse.urlsplit(url) | ||
98 | |||
99 | class Utility_Tests(unittest.TestCase): | ||
100 | """Testcase to test the various utility functions in the urllib.""" | ||
101 | diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py | ||
102 | index 62e8ddf04b..7ba2b445f5 100644 | ||
103 | --- a/Lib/urllib/parse.py | ||
104 | +++ b/Lib/urllib/parse.py | ||
105 | @@ -327,6 +327,21 @@ def _splitnetloc(url, start=0): | ||
106 | delim = min(delim, wdelim) # use earliest delim position | ||
107 | return url[start:delim], url[delim:] # return (domain, rest) | ||
108 | |||
109 | +def _checknetloc(netloc): | ||
110 | + if not netloc or not any(ord(c) > 127 for c in netloc): | ||
111 | + return | ||
112 | + # looking for characters like \u2100 that expand to 'a/c' | ||
113 | + # IDNA uses NFKC equivalence, so normalize for this check | ||
114 | + import unicodedata | ||
115 | + netloc2 = unicodedata.normalize('NFKC', netloc) | ||
116 | + if netloc == netloc2: | ||
117 | + return | ||
118 | + _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay | ||
119 | + for c in '/?#@:': | ||
120 | + if c in netloc2: | ||
121 | + raise ValueError("netloc '" + netloc2 + "' contains invalid " + | ||
122 | + "characters under NFKC normalization") | ||
123 | + | ||
124 | def urlsplit(url, scheme='', allow_fragments=True): | ||
125 | """Parse a URL into 5 components: | ||
126 | <scheme>://<netloc>/<path>?<query>#<fragment> | ||
127 | @@ -356,6 +371,7 @@ def urlsplit(url, scheme='', allow_fragments=True): | ||
128 | url, fragment = url.split('#', 1) | ||
129 | if '?' in url: | ||
130 | url, query = url.split('?', 1) | ||
131 | + _checknetloc(netloc) | ||
132 | v = SplitResult(scheme, netloc, url, query, fragment) | ||
133 | _parse_cache[key] = v | ||
134 | return _coerce_result(v) | ||
135 | @@ -379,6 +395,7 @@ def urlsplit(url, scheme='', allow_fragments=True): | ||
136 | url, fragment = url.split('#', 1) | ||
137 | if '?' in url: | ||
138 | url, query = url.split('?', 1) | ||
139 | + _checknetloc(netloc) | ||
140 | v = SplitResult(scheme, netloc, url, query, fragment) | ||
141 | _parse_cache[key] = v | ||
142 | return _coerce_result(v) | ||
143 | diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | ||
144 | new file mode 100644 | ||
145 | index 0000000000..5546394157 | ||
146 | --- /dev/null | ||
147 | +++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | ||
148 | @@ -0,0 +1,3 @@ | ||
149 | +Changes urlsplit() to raise ValueError when the URL contains characters that | ||
150 | +decompose under IDNA encoding (NFKC-normalization) into characters that | ||
151 | +affect how the URL is parsed. | ||
152 | -- | ||
153 | 2.22.0.vfs.1.1.57.gbaf16c8 | ||
154 | |||