python-oauthlib/0004-IPV6-parsing-signature.patch

From 49294a6a7cb6e9ece1c1814d629e2d9e497180fa Mon Sep 17 00:00:00 2001
From: Dariusz Smigiel <dsmigiel@redhat.com>
Date: Thu, 19 May 2022 09:41:59 -0700
Subject: [PATCH 1/4] OAuth1: Allow IPv6 addresses being parsed by signature

This PR addresses issue with incorrectly parsing IPv6 address,
described here: https://github.com/oauthlib/oauthlib/issues/817
---
 oauthlib/oauth1/rfc5849/signature.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oauthlib/oauth1/rfc5849/signature.py b/oauthlib/oauth1/rfc5849/signature.py
index a370ccd6..424393b6 100644
--- a/oauthlib/oauth1/rfc5849/signature.py
+++ b/oauthlib/oauth1/rfc5849/signature.py
@@ -173,7 +173,7 @@ def base_string_uri(uri: str, host: str = None) -> str:
     if ':' in netloc:
         # Contains a colon ":", so try to parse as "host:port"
 
-        hostname, port_str = netloc.split(':', 1)
+        hostname, port_str = netloc.rsplit(':', 1)
 
         if len(hostname) == 0:
             raise ValueError('missing host')  # error: netloc was ":port" or ":"

From d05c388078b45285ac4a012c568a5e2d56556a34 Mon Sep 17 00:00:00 2001
From: Dariusz Smigiel <dsmigiel@redhat.com>
Date: Wed, 15 Jun 2022 09:26:20 -0700
Subject: [PATCH 2/4] Removed dependency on split

---
 oauthlib/oauth1/rfc5849/signature.py    | 68 +++++++++++++++----------
 tests/oauth1/rfc5849/test_signatures.py | 21 +++++++-
 2 files changed, 60 insertions(+), 29 deletions(-)

diff --git a/oauthlib/oauth1/rfc5849/signature.py b/oauthlib/oauth1/rfc5849/signature.py
index 424393b6..70447852 100644
--- a/oauthlib/oauth1/rfc5849/signature.py
+++ b/oauthlib/oauth1/rfc5849/signature.py
@@ -37,6 +37,7 @@
 import binascii
 import hashlib
 import hmac
+import ipaddress
 import logging
 import warnings
 
@@ -131,7 +132,14 @@ def base_string_uri(uri: str, host: str = None) -> str:
         raise ValueError('uri must be a string.')
 
     # FIXME: urlparse does not support unicode
-    scheme, netloc, path, params, query, fragment = urlparse.urlparse(uri)
+    output = urlparse.urlparse(uri)
+    scheme = output.scheme
+    hostname = output.hostname
+    port = output.port
+    path = output.path
+    params = output.params
+    query = output.query
+    fragment = output.fragment
 
     # The scheme, authority, and path of the request resource URI `RFC3986`
     # are included by constructing an "http" or "https" URI representing
@@ -153,13 +161,22 @@ def base_string_uri(uri: str, host: str = None) -> str:
 
     # 1.  The scheme and host MUST be in lowercase.
     scheme = scheme.lower()
-    netloc = netloc.lower()
     # Note: if ``host`` is used, it will be converted to lowercase below
+    if hostname is not None:
+        hostname = hostname.lower()
 
     # 2.  The host and port values MUST match the content of the HTTP
     #     request "Host" header field.
     if host is not None:
-        netloc = host.lower()  # override value in uri with provided host
+        # NOTE: override value in uri with provided host
+        # Host argument is equal to netloc. It means it's missing scheme.
+        # Add it back, before parsing.
+
+        host = host.lower()
+        host = f"{scheme}://{host}"
+        output = urlparse.urlparse(host)
+        hostname = output.hostname
+        port = output.port
 
     # 3.  The port MUST be included if it is not the default port for the
     #     scheme, and MUST be excluded if it is the default.  Specifically,
@@ -170,33 +187,28 @@ def base_string_uri(uri: str, host: str = None) -> str:
     # .. _`RFC2616`: https://tools.ietf.org/html/rfc2616
     # .. _`RFC2818`: https://tools.ietf.org/html/rfc2818
 
-    if ':' in netloc:
-        # Contains a colon ":", so try to parse as "host:port"
-
-        hostname, port_str = netloc.rsplit(':', 1)
-
-        if len(hostname) == 0:
-            raise ValueError('missing host')  # error: netloc was ":port" or ":"
+    if hostname is None:
+        raise ValueError('missing host')
 
-        if len(port_str) == 0:
-            netloc = hostname  # was "host:", so just use the host part
-        else:
-            try:
-                port_num = int(port_str)  # try to parse into an integer number
-            except ValueError:
-                raise ValueError('port is not an integer')
-
-            if port_num <= 0 or 65535 < port_num:
-                raise ValueError('port out of range')  # 16-bit unsigned ints
-            if (scheme, port_num) in (('http', 80), ('https', 443)):
-                netloc = hostname  # default port for scheme: exclude port num
-            else:
-                netloc = hostname + ':' + str(port_num)  # use hostname:port
+    # NOTE: Try guessing if we're dealing with IP or hostname
+    try:
+        hostname = ipaddress.ip_address(hostname)
+    except ValueError:
+        pass
+
+    if isinstance(hostname, ipaddress.IPv6Address):
+        hostname = f"[{hostname}]"
+    elif isinstance(hostname, ipaddress.IPv4Address):
+        hostname = f"{hostname}"
+
+    if port is not None and not (0 <= port <= 65535):
+        raise ValueError('port out of range')  # 16-bit unsigned ints
+    if (scheme, port) in (('http', 80), ('https', 443)):
+        netloc = hostname  # default port for scheme: exclude port num
+    elif port:
+        netloc = f"{hostname}:{port}"  # use hostname:port
     else:
-        # Does not contain a colon, so entire value must be the hostname
-
-        if len(netloc) == 0:
-            raise ValueError('missing host')  # error: netloc was empty string
+        netloc = hostname
 
     v = urlparse.urlunparse((scheme, netloc, path, params, '', ''))
 
diff --git a/tests/oauth1/rfc5849/test_signatures.py b/tests/oauth1/rfc5849/test_signatures.py
index 3e84f24b..e737e68b 100644
--- a/tests/oauth1/rfc5849/test_signatures.py
+++ b/tests/oauth1/rfc5849/test_signatures.py
@@ -239,6 +239,26 @@ def test_base_string_uri(self):
             'http://override.example.com/path',
             base_string_uri('http:///path', 'OVERRIDE.example.com'))
 
+        # ----------------
+        # Host: valid host allows for IPv4 and IPv6
+
+        self.assertEqual(
+            'https://192.168.0.1/',
+            base_string_uri('https://192.168.0.1')
+        )
+        self.assertEqual(
+            'https://192.168.0.1:13000/',
+            base_string_uri('https://192.168.0.1:13000')
+        )
+        self.assertEqual(
+            'https://[123:db8:fd00:1000::5]:13000/',
+            base_string_uri('https://[123:db8:fd00:1000::5]:13000')
+        )
+        self.assertEqual(
+            'https://[123:db8:fd00:1000::5]/',
+            base_string_uri('https://[123:db8:fd00:1000::5]')
+        )
+
         # ----------------
         # Port: default ports always excluded; non-default ports always included
 
@@ -339,7 +359,6 @@ def test_base_string_uri(self):
         self.assertRaises(ValueError, base_string_uri, 'http://:8080')
 
         # Port is not a valid TCP/IP port number
-        self.assertRaises(ValueError, base_string_uri, 'http://eg.com:0')
         self.assertRaises(ValueError, base_string_uri, 'http://eg.com:-1')
         self.assertRaises(ValueError, base_string_uri, 'http://eg.com:65536')
         self.assertRaises(ValueError, base_string_uri, 'http://eg.com:3.14')

From ed0cb63945c4a5940b185823809693b7f97989ad Mon Sep 17 00:00:00 2001
From: Dariusz Smigiel <dsmigiel@redhat.com>
Date: Wed, 15 Jun 2022 10:20:29 -0700
Subject: [PATCH 3/4] Removed unused query and fragment

---
 oauthlib/oauth1/rfc5849/signature.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/oauthlib/oauth1/rfc5849/signature.py b/oauthlib/oauth1/rfc5849/signature.py
index 70447852..7e8044a9 100644
--- a/oauthlib/oauth1/rfc5849/signature.py
+++ b/oauthlib/oauth1/rfc5849/signature.py
@@ -138,8 +138,6 @@ def base_string_uri(uri: str, host: str = None) -> str:
     port = output.port
     path = output.path
     params = output.params
-    query = output.query
-    fragment = output.fragment
 
     # The scheme, authority, and path of the request resource URI `RFC3986`
     # are included by constructing an "http" or "https" URI representing

From 9aa45aaff0cdeab258d18c025cf66e9bdba529c0 Mon Sep 17 00:00:00 2001
From: Dariusz Smigiel <dsmigiel@redhat.com>
Date: Mon, 27 Jun 2022 07:20:06 -0700
Subject: [PATCH 4/4] Restored test for port 0.

---
 oauthlib/oauth1/rfc5849/signature.py    | 2 +-
 tests/oauth1/rfc5849/test_signatures.py | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/oauthlib/oauth1/rfc5849/signature.py b/oauthlib/oauth1/rfc5849/signature.py
index 862c3f3c..9cb1a517 100644
--- a/oauthlib/oauth1/rfc5849/signature.py
+++ b/oauthlib/oauth1/rfc5849/signature.py
@@ -198,7 +198,7 @@ def base_string_uri(uri: str, host: str = None) -> str:
     elif isinstance(hostname, ipaddress.IPv4Address):
         hostname = f"{hostname}"
 
-    if port is not None and not (0 <= port <= 65535):
+    if port is not None and not (0 < port <= 65535):
         raise ValueError('port out of range')  # 16-bit unsigned ints
     if (scheme, port) in (('http', 80), ('https', 443)):
         netloc = hostname  # default port for scheme: exclude port num
diff --git a/tests/oauth1/rfc5849/test_signatures.py b/tests/oauth1/rfc5849/test_signatures.py
index f0e18093..2d4735ea 100644
--- a/tests/oauth1/rfc5849/test_signatures.py
+++ b/tests/oauth1/rfc5849/test_signatures.py
@@ -348,6 +348,7 @@ def test_base_string_uri(self):
         self.assertRaises(ValueError, base_string_uri, 'http://:8080')
 
         # Port is not a valid TCP/IP port number
+        self.assertRaises(ValueError, base_string_uri, 'http://eg.com:0')
         self.assertRaises(ValueError, base_string_uri, 'http://eg.com:-1')
         self.assertRaises(ValueError, base_string_uri, 'http://eg.com:65536')
         self.assertRaises(ValueError, base_string_uri, 'http://eg.com:3.14')