import python2-2.7.18-10.module+el8.6.0+14191+7fdd52cd
This commit is contained in:
parent
607f0d095d
commit
455dc21f2b
|
@ -0,0 +1,127 @@
|
|||
diff --git a/Doc/library/urlparse.rst b/Doc/library/urlparse.rst
|
||||
index 97d1119257c..c08c3dc8e8f 100644
|
||||
--- a/Doc/library/urlparse.rst
|
||||
+++ b/Doc/library/urlparse.rst
|
||||
@@ -125,6 +125,9 @@ The :mod:`urlparse` module defines the following functions:
|
||||
decomposed before parsing, or is not a Unicode string, no error will be
|
||||
raised.
|
||||
|
||||
+ Following the `WHATWG spec`_ that updates RFC 3986, ASCII newline
|
||||
+ ``\n``, ``\r`` and tab ``\t`` characters are stripped from the URL.
|
||||
+
|
||||
.. versionchanged:: 2.5
|
||||
Added attributes to return value.
|
||||
|
||||
@@ -321,6 +324,10 @@ The :mod:`urlparse` module defines the following functions:
|
||||
|
||||
.. seealso::
|
||||
|
||||
+ `WHATWG`_ - URL Living standard
|
||||
+ Working Group for the URL Standard that defines URLs, domains, IP addresses, the
|
||||
+ application/x-www-form-urlencoded format, and their API.
|
||||
+
|
||||
:rfc:`3986` - Uniform Resource Identifiers
|
||||
This is the current standard (STD66). Any changes to urlparse module
|
||||
should conform to this. Certain deviations could be observed, which are
|
||||
@@ -345,6 +352,7 @@ The :mod:`urlparse` module defines the following functions:
|
||||
:rfc:`1738` - Uniform Resource Locators (URL)
|
||||
This specifies the formal syntax and semantics of absolute URLs.
|
||||
|
||||
+.. _WHATWG: https://url.spec.whatwg.org/
|
||||
|
||||
.. _urlparse-result-object:
|
||||
|
||||
diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
|
||||
index 21875bb2991..16eefed56f6 100644
|
||||
--- a/Lib/test/test_urlparse.py
|
||||
+++ b/Lib/test/test_urlparse.py
|
||||
@@ -618,6 +618,55 @@ class UrlParseTestCase(unittest.TestCase):
|
||||
self.assertEqual(p1.path, '863-1234')
|
||||
self.assertEqual(p1.params, 'phone-context=+1-914-555')
|
||||
|
||||
+ def test_urlsplit_remove_unsafe_bytes(self):
|
||||
+ # Remove ASCII tabs and newlines from input, for http common case scenario.
|
||||
+ url = "h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
|
||||
+ p = urlparse.urlsplit(url)
|
||||
+ self.assertEqual(p.scheme, "http")
|
||||
+ self.assertEqual(p.netloc, "www.python.org")
|
||||
+ self.assertEqual(p.path, "/javascript:alert('msg')/")
|
||||
+ self.assertEqual(p.query, "query=something")
|
||||
+ self.assertEqual(p.fragment, "fragment")
|
||||
+ self.assertEqual(p.username, None)
|
||||
+ self.assertEqual(p.password, None)
|
||||
+ self.assertEqual(p.hostname, "www.python.org")
|
||||
+ self.assertEqual(p.port, None)
|
||||
+ self.assertEqual(p.geturl(), "http://www.python.org/javascript:alert('msg')/?query=something#fragment")
|
||||
+
|
||||
+ # Remove ASCII tabs and newlines from input as bytes, for http common case scenario.
|
||||
+ url = b"h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
|
||||
+ p = urlparse.urlsplit(url)
|
||||
+ self.assertEqual(p.scheme, b"http")
|
||||
+ self.assertEqual(p.netloc, b"www.python.org")
|
||||
+ self.assertEqual(p.path, b"/javascript:alert('msg')/")
|
||||
+ self.assertEqual(p.query, b"query=something")
|
||||
+ self.assertEqual(p.fragment, b"fragment")
|
||||
+ self.assertEqual(p.username, None)
|
||||
+ self.assertEqual(p.password, None)
|
||||
+ self.assertEqual(p.hostname, b"www.python.org")
|
||||
+ self.assertEqual(p.port, None)
|
||||
+ self.assertEqual(p.geturl(), b"http://www.python.org/javascript:alert('msg')/?query=something#fragment")
|
||||
+
|
||||
+ # any scheme
|
||||
+ url = "x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
|
||||
+ p = urlparse.urlsplit(url)
|
||||
+ self.assertEqual(p.geturl(), "x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment")
|
||||
+
|
||||
+ # Remove ASCII tabs and newlines from input as bytes, any scheme.
|
||||
+ url = b"x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
|
||||
+ p = urlparse.urlsplit(url)
|
||||
+ self.assertEqual(p.geturl(), b"x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment")
|
||||
+
|
||||
+ # Unsafe bytes is not returned from urlparse cache.
|
||||
+ # scheme is stored after parsing, sending an scheme with unsafe bytes *will not* return an unsafe scheme
|
||||
+ url = "https://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
|
||||
+ scheme = "htt\nps"
|
||||
+ for _ in range(2):
|
||||
+ p = urlparse.urlsplit(url, scheme=scheme)
|
||||
+ self.assertEqual(p.scheme, "https")
|
||||
+ self.assertEqual(p.geturl(), "https://www.python.org/javascript:alert('msg')/?query=something#fragment")
|
||||
+
|
||||
+
|
||||
|
||||
def test_attributes_bad_port(self):
|
||||
"""Check handling of non-integer ports."""
|
||||
diff --git a/Lib/urlparse.py b/Lib/urlparse.py
|
||||
index 69504d8fd93..6cc40a8d2fb 100644
|
||||
--- a/Lib/urlparse.py
|
||||
+++ b/Lib/urlparse.py
|
||||
@@ -63,6 +63,9 @@ scheme_chars = ('abcdefghijklmnopqrstuvwxyz'
|
||||
'0123456789'
|
||||
'+-.')
|
||||
|
||||
+# Unsafe bytes to be removed per WHATWG spec
|
||||
+_UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n']
|
||||
+
|
||||
MAX_CACHE_SIZE = 20
|
||||
_parse_cache = {}
|
||||
|
||||
@@ -185,12 +188,19 @@ def _checknetloc(netloc):
|
||||
"under NFKC normalization"
|
||||
% netloc)
|
||||
|
||||
+def _remove_unsafe_bytes_from_url(url):
|
||||
+ for b in _UNSAFE_URL_BYTES_TO_REMOVE:
|
||||
+ url = url.replace(b, "")
|
||||
+ return url
|
||||
+
|
||||
def urlsplit(url, scheme='', allow_fragments=True):
|
||||
"""Parse a URL into 5 components:
|
||||
<scheme>://<netloc>/<path>?<query>#<fragment>
|
||||
Return a 5-tuple: (scheme, netloc, path, query, fragment).
|
||||
Note that we don't break the components up in smaller bits
|
||||
(e.g. netloc is a single string) and we don't expand % escapes."""
|
||||
+ url = _remove_unsafe_bytes_from_url(url)
|
||||
+ scheme = _remove_unsafe_bytes_from_url(scheme)
|
||||
allow_fragments = bool(allow_fragments)
|
||||
key = url, scheme, allow_fragments, type(url), type(scheme)
|
||||
cached = _parse_cache.get(key, None)
|
|
@ -104,7 +104,7 @@ Summary: An interpreted, interactive, object-oriented programming language
|
|||
Name: %{python}
|
||||
# Remember to also rebase python2-docs when changing this:
|
||||
Version: 2.7.18
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
License: Python
|
||||
Group: Development/Languages
|
||||
Requires: %{python}-libs%{?_isa} = %{version}-%{release}
|
||||
|
@ -763,6 +763,17 @@ Patch368: 00368-CVE-2021-3737.patch
|
|||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2036020
|
||||
Patch372: 00372-CVE-2021-4189.patch
|
||||
|
||||
# 00377 #
|
||||
# CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs
|
||||
#
|
||||
# ASCII newline and tab characters are stripped from the URL.
|
||||
#
|
||||
# Backported from Python 3.
|
||||
#
|
||||
# Upstream: https://bugs.python.org/issue43882
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2047376
|
||||
Patch377: 00377-CVE-2022-0391.patch
|
||||
|
||||
# (New patches go here ^^^)
|
||||
#
|
||||
# When adding new patches to "python2" and "python3" in Fedora, EL, etc.,
|
||||
|
@ -1093,6 +1104,7 @@ git apply %{PATCH351}
|
|||
%patch366 -p1
|
||||
%patch368 -p1
|
||||
%patch372 -p1
|
||||
%patch377 -p1
|
||||
|
||||
# This shouldn't be necesarry, but is right now (2.2a3)
|
||||
find -name "*~" |xargs rm -f
|
||||
|
@ -2031,6 +2043,10 @@ fi
|
|||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Tue Feb 08 2022 Charalampos Stratakis <cstratak@redhat.com> - 2.7.18-10
|
||||
- Security fix for CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs
|
||||
Resolves: rhbz#2047376
|
||||
|
||||
* Wed Jan 12 2022 Charalampos Stratakis <cstratak@redhat.com> - 2.7.18-9
|
||||
- Security fix for CVE-2021-4189: ftplib should not use the host from the PASV response
|
||||
Resolves: rhbz#2036020
|
||||
|
|
Loading…
Reference in New Issue