44 lines
1.2 KiB
Diff
44 lines
1.2 KiB
Diff
From b40eb0f43daecc6e2e3ce47b0be49cf570d02adc Mon Sep 17 00:00:00 2001
|
|
From: Lumir Balhar <lbalhar@redhat.com>
|
|
Date: Thu, 9 Jan 2020 11:14:58 +0100
|
|
Subject: [PATCH] CVE-2019-9740
|
|
|
|
---
|
|
util/url.py | 7 +++++++
|
|
1 file changed, 7 insertions(+)
|
|
|
|
diff --git a/util/url.py b/util/url.py
|
|
index 6b6f996..2784c85 100644
|
|
--- a/util/url.py
|
|
+++ b/util/url.py
|
|
@@ -1,5 +1,6 @@
|
|
from __future__ import absolute_import
|
|
from collections import namedtuple
|
|
+import re
|
|
|
|
from ..exceptions import LocationParseError
|
|
|
|
@@ -10,6 +11,8 @@ url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
|
|
# urllib3 infers URLs without a scheme (None) to be http.
|
|
NORMALIZABLE_SCHEMES = ('http', 'https', None)
|
|
|
|
+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
|
|
+from ..packages.six.moves.urllib.parse import quote
|
|
|
|
class Url(namedtuple('Url', url_attrs)):
|
|
"""
|
|
@@ -155,6 +158,10 @@ def parse_url(url):
|
|
# Empty
|
|
return Url()
|
|
|
|
+ # Prevent CVE-2019-9740.
|
|
+ # adapted from https://github.com/python/cpython/pull/12755
|
|
+ url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url)
|
|
+
|
|
scheme = None
|
|
auth = None
|
|
host = None
|
|
--
|
|
2.24.1
|
|
|