summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2023-24329.patch80
-rw-r--r--meta/recipes-devtools/python/python3_3.8.17.bb1
2 files changed, 81 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2023-24329.patch b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch
new file mode 100644
index 0000000000..23dec65602
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch
@@ -0,0 +1,80 @@
1From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001
2From: "Miss Islington (bot)"
3 <31488909+miss-islington@users.noreply.github.com>
4Date: Sun, 13 Nov 2022 11:00:25 -0800
5Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
6 must begin with an alphabetical ASCII character. (GH-99421)
7
8Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
9
10RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
11RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
12
13The WHATWG URL spec defines a scheme like this:
14`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
15(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7)
16
17Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>
18
19Upstream-Status: Backport [https://github.com/python/cpython/commit/72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9]
20CVE: CVE-2023-24329
21Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
22---
23 Lib/test/test_urlparse.py | 18 ++++++++++++++++++
24 Lib/urllib/parse.py | 2 +-
25 ...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 ++
26 3 files changed, 21 insertions(+), 1 deletion(-)
27 create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
28
29diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
30index 0ad3bf1..e1aa913 100644
31--- a/Lib/test/test_urlparse.py
32+++ b/Lib/test/test_urlparse.py
33@@ -735,6 +735,24 @@ class UrlParseTestCase(unittest.TestCase):
34 with self.assertRaises(ValueError):
35 p.port
36
37+ def test_attributes_bad_scheme(self):
38+ """Check handling of invalid schemes."""
39+ for bytes in (False, True):
40+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
41+ for scheme in (".", "+", "-", "0", "http&", "६http"):
42+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
43+ url = scheme + "://www.example.net"
44+ if bytes:
45+ if url.isascii():
46+ url = url.encode("ascii")
47+ else:
48+ continue
49+ p = parse(url)
50+ if bytes:
51+ self.assertEqual(p.scheme, b"")
52+ else:
53+ self.assertEqual(p.scheme, "")
54+
55 def test_attributes_without_netloc(self):
56 # This example is straight from RFC 3261. It looks like it
57 # should allow the username, hostname, and port to be filled
58diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
59index 979e6d2..2e7a3e2 100644
60--- a/Lib/urllib/parse.py
61+++ b/Lib/urllib/parse.py
62@@ -452,7 +452,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
63 clear_cache()
64 netloc = query = fragment = ''
65 i = url.find(':')
66- if i > 0:
67+ if i > 0 and url[0].isascii() and url[0].isalpha():
68 if url[:i] == 'http': # optimize the common case
69 url = url[i+1:]
70 if url[:2] == '//':
71diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
72new file mode 100644
73index 0000000..0a06e7c
74--- /dev/null
75+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
76@@ -0,0 +1,2 @@
77+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
78+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
79--
802.25.1
diff --git a/meta/recipes-devtools/python/python3_3.8.17.bb b/meta/recipes-devtools/python/python3_3.8.17.bb
index ba5f564d8e..8c00d65794 100644
--- a/meta/recipes-devtools/python/python3_3.8.17.bb
+++ b/meta/recipes-devtools/python/python3_3.8.17.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
34 file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ 34 file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \
35 file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ 35 file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
36 file://makerace.patch \ 36 file://makerace.patch \
37 file://CVE-2023-24329.patch \
37 " 38 "
38 39
39SRC_URI_append_class-native = " \ 40SRC_URI_append_class-native = " \