1 files changed, 80 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2023-24329.patch b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch
new file mode 100644
index 0000000000..23dec65602
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch
@@ -0,0 +1,80 @@
+From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Sun, 13 Nov 2022 11:00:25 -0800
+Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
+ must begin with an alphabetical ASCII character. (GH-99421)
+Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
+RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
+RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
+The WHATWG URL spec defines a scheme like this:
+`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
+(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7)
+Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>
+Upstream-Status: Backport [https://github.com/python/cpython/commit/72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9]
+CVE: CVE-2023-24329
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ Lib/test/test_urlparse.py                      | 18 ++++++++++++++++++
+ Lib/urllib/parse.py                            |  2 +-
+ ...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst |  2 ++
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 0ad3bf1..e1aa913 100644
+--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
+@@ -735,6 +735,24 @@ class UrlParseTestCase(unittest.TestCase):
+                         with self.assertRaises(ValueError):
+                             p.port
+    def test_attributes_bad_scheme(self):
+        """Check handling of invalid schemes."""
+        for bytes in (False, True):
+            for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
+                for scheme in (".", "+", "-", "0", "http&", "६http"):
+                    with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
+                        url = scheme + "://www.example.net"
+                        if bytes:
+                            if url.isascii():
+                                url = url.encode("ascii")
+                            else:
+                                continue
+                        p = parse(url)
+                        if bytes:
+                            self.assertEqual(p.scheme, b"")
+                        else:
+                            self.assertEqual(p.scheme, "")
+
+     def test_attributes_without_netloc(self):
+         # This example is straight from RFC 3261.  It looks like it
+         # should allow the username, hostname, and port to be filled
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 979e6d2..2e7a3e2 100644
+--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
+@@ -452,7 +452,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+         clear_cache()
+     netloc = query = fragment = ''
+     i = url.find(':')
+-    if i > 0:
+    if i > 0 and url[0].isascii() and url[0].isalpha():
+         if url[:i] == 'http': # optimize the common case
+             url = url[i+1:]
+             if url[:2] == '//':
+diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
+new file mode 100644
+index 0000000..0a06e7c
+--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
+@@ -0,0 +1,2 @@
+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
+--
+2.25.1

diff --git a/meta/recipes-devtools/python/python3/CVE-2023-24329.patch b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch new file mode 100644 index 0000000000..23dec65602 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch
@@ -0,0 +1,80 @@
	1	From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001
	2	From: "Miss Islington (bot)"
	3	<31488909+miss-islington@users.noreply.github.com>
	4	Date: Sun, 13 Nov 2022 11:00:25 -0800
	5	Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
	6	must begin with an alphabetical ASCII character. (GH-99421)
	7
	8	Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
	9
	10	RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
	11	RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
	12
	13	The WHATWG URL spec defines a scheme like this:
	14	`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
	15	(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7)
	16
	17	Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>
	18
	19	Upstream-Status: Backport [https://github.com/python/cpython/commit/72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9]
	20	CVE: CVE-2023-24329
	21	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
	22	---
	23	Lib/test/test_urlparse.py \| 18 ++++++++++++++++++
	24	Lib/urllib/parse.py \| 2 +-
	25	...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst \| 2 ++
	26	3 files changed, 21 insertions(+), 1 deletion(-)
	27	create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
	28
	29	diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
	30	index 0ad3bf1..e1aa913 100644
	31	--- a/Lib/test/test_urlparse.py
	32	+++ b/Lib/test/test_urlparse.py
	33	@@ -735,6 +735,24 @@ class UrlParseTestCase(unittest.TestCase):
	34	with self.assertRaises(ValueError):
	35	p.port
	36
	37	+ def test_attributes_bad_scheme(self):
	38	+ """Check handling of invalid schemes."""
	39	+ for bytes in (False, True):
	40	+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
	41	+ for scheme in (".", "+", "-", "0", "http&", "६http"):
	42	+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
	43	+ url = scheme + "://www.example.net"
	44	+ if bytes:
	45	+ if url.isascii():
	46	+ url = url.encode("ascii")
	47	+ else:
	48	+ continue
	49	+ p = parse(url)
	50	+ if bytes:
	51	+ self.assertEqual(p.scheme, b"")
	52	+ else:
	53	+ self.assertEqual(p.scheme, "")
	54	+
	55	def test_attributes_without_netloc(self):
	56	# This example is straight from RFC 3261. It looks like it
	57	# should allow the username, hostname, and port to be filled
	58	diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
	59	index 979e6d2..2e7a3e2 100644
	60	--- a/Lib/urllib/parse.py
	61	+++ b/Lib/urllib/parse.py
	62	@@ -452,7 +452,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
	63	clear_cache()
	64	netloc = query = fragment = ''
	65	i = url.find(':')
	66	- if i > 0:
	67	+ if i > 0 and url[0].isascii() and url[0].isalpha():
	68	if url[:i] == 'http': # optimize the common case
	69	url = url[i+1:]
	70	if url[:2] == '//':
	71	diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
	72	new file mode 100644
	73	index 0000000..0a06e7c
	74	--- /dev/null
	75	+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
	76	@@ -0,0 +1,2 @@
	77	+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
	78	+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
	79	--
	80	2.25.1