python3: fix CVE-2023-24329

Backport fix from cpython 3.11 branch. (From OE-Core rev: 37defd828cc6a8267139928730d766167905d21a) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joe Slater <joe.slater@windriver.com> 2023-03-16 08:54:09 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-03-23 22:45:33 +0000
commit: 6af5a447a16f34700e2c911992a19b0dae75de28 (patch)
tree: 021069371312a1d66da8ee8fba52471ce91b79ee /meta/recipes-devtools/python/python3
parent: a72bfe0e79ae22b0513e4a6fad83e42c983b7629 (diff)
download: poky-6af5a447a16f34700e2c911992a19b0dae75de28.tar.gz
1 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/cve-2023-24329.patch b/meta/recipes-devtools/python/python3/cve-2023-24329.patch
new file mode 100644
index 0000000000..d47425d239
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/cve-2023-24329.patch
@@ -0,0 +1,50 @@
+From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Sun, 13 Nov 2022 11:00:25 -0800
+Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
+ must begin with an alphabetical ASCII character. (GH-99421)
+Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
+RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
+RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
+The WHATWG URL spec defines a scheme like this:
+`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
+(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7)
+Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>
+--- end original header ---
+CVE: CVE-2023-24329
+Upstream-Status: Backport [see below]
+Taken from https://github.com/python/cpython.git
+commit 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9
+CVE fix extracted; test case and update to NEWS abandoned.
+Defuzzed.
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ Lib/urllib/parse.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 26ddf30..1c53acb 100644
+--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
+@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+         clear_cache()
+     netloc = query = fragment = ''
+     i = url.find(':')
+-    if i > 0:
+    if i > 0 and url[0].isascii() and url[0].isalpha():
+         for c in url[:i]:
+             if c not in scheme_chars:
+                 break
+-- 
+2.25.1
author	Joe Slater <joe.slater@windriver.com>	2023-03-16 08:54:09 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-03-23 22:45:33 +0000
commit	6af5a447a16f34700e2c911992a19b0dae75de28 (patch)
tree	021069371312a1d66da8ee8fba52471ce91b79ee /meta/recipes-devtools/python/python3
parent	a72bfe0e79ae22b0513e4a6fad83e42c983b7629 (diff)
download	poky-6af5a447a16f34700e2c911992a19b0dae75de28.tar.gz

diff --git a/meta/recipes-devtools/python/python3/cve-2023-24329.patch b/meta/recipes-devtools/python/python3/cve-2023-24329.patch new file mode 100644 index 0000000000..d47425d239 --- /dev/null +++ b/meta/recipes-devtools/python/python3/cve-2023-24329.patch
@@ -0,0 +1,50 @@
	1	From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001
	2	From: "Miss Islington (bot)"
	3	<31488909+miss-islington@users.noreply.github.com>
	4	Date: Sun, 13 Nov 2022 11:00:25 -0800
	5	Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
	6	must begin with an alphabetical ASCII character. (GH-99421)
	7
	8	Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
	9
	10	RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
	11	RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
	12
	13	The WHATWG URL spec defines a scheme like this:
	14	`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
	15	(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7)
	16
	17	Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>
	18	--- end original header ---
	19
	20	CVE: CVE-2023-24329
	21
	22	Upstream-Status: Backport [see below]
	23
	24	Taken from https://github.com/python/cpython.git
	25	commit 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9
	26
	27	CVE fix extracted; test case and update to NEWS abandoned.
	28	Defuzzed.
	29
	30	Signed-off-by: Joe Slater <joe.slater@windriver.com>
	31	---
	32	Lib/urllib/parse.py \| 2 +-
	33	1 file changed, 1 insertion(+), 1 deletion(-)
	34
	35	diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
	36	index 26ddf30..1c53acb 100644
	37	--- a/Lib/urllib/parse.py
	38	+++ b/Lib/urllib/parse.py
	39	@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
	40	clear_cache()
	41	netloc = query = fragment = ''
	42	i = url.find(':')
	43	- if i > 0:
	44	+ if i > 0 and url[0].isascii() and url[0].isalpha():
	45	for c in url[:i]:
	46	if c not in scheme_chars:
	47	break
	48	--
	49	2.25.1
	50