fix CVE-2023-24329

(cherry picked from commit f33a7c54a67b7c7e040bdc34fd78ed90e3a5b769)
2023-04-06 13:05:44 +08:00 · 2023-04-06 13:05:44 +08:00 · dc55be7b2f
commit dc55be7b2f
parent ded3c83660
3 changed files with 128 additions and 1 deletions
--- a/backport-Make-urllib.parse.urlparse-enforce-that-a-scheme-mus.patch
+++ b/backport-Make-urllib.parse.urlparse-enforce-that-a-scheme-mus.patch
@ -0,0 +1,73 @@
 From 439b9cfaf43080e91c4ad69f312f21fa098befc7 Mon Sep 17 00:00:00 2001
 From: Ben Kallus <49924171+kenballus@users.noreply.github.com>
 Date: Sun, 13 Nov 2022 18:25:55 +0000
 Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
 must begin with an alphabetical ASCII character. (#99421)
 Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
 RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
 RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
 The WHATWG URL spec defines a scheme like this:
 `"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
 ---
 Lib/test/test_urlparse.py                      | 18 ++++++++++++++++++
 Lib/urllib/parse.py                            |  2 +-
 ...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst |  2 ++
 3 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
 diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
 index 31943f3..f42ed9b 100644
 --- a/Lib/test/test_urlparse.py
 +++ b/Lib/test/test_urlparse.py
@@ -665,6 +665,24 @@ class UrlParseTestCase(unittest.TestCase):
                         with self.assertRaises(ValueError):
                             p.port
 +    def test_attributes_bad_scheme(self):
 +        """Check handling of invalid schemes."""
 +        for bytes in (False, True):
 +            for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
 +                for scheme in (".", "+", "-", "0", "http&", "६http"):
 +                    with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
 +                        url = scheme + "://www.example.net"
 +                        if bytes:
 +                            if url.isascii():
 +                                url = url.encode("ascii")
 +                            else:
 +                                continue
 +                        p = parse(url)
 +                        if bytes:
 +                            self.assertEqual(p.scheme, b"")
 +                        else:
 +                            self.assertEqual(p.scheme, "")
 +
     def test_attributes_without_netloc(self):
         # This example is straight from RFC 3261.  It looks like it
         # should allow the username, hostname, and port to be filled
 diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
 index b7965fe..bd59852 100644
 --- a/Lib/urllib/parse.py
 +++ b/Lib/urllib/parse.py
@@ -470,7 +470,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
         clear_cache()
     netloc = query = fragment = ''
     i = url.find(':')
 -    if i > 0:
 +    if i > 0 and url[0].isascii() and url[0].isalpha():
         for c in url[:i]:
             if c not in scheme_chars:
                 break
 diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
 new file mode 100644
 index 0000000..0a06e7c
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
@@ -0,0 +1,2 @@
 +Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
 +with a digit, a plus sign, or a minus sign to be parsed incorrectly.
 -- 
 2.33.0
--- a/fix-CVE-2023-24329.patch
+++ b/fix-CVE-2023-24329.patch
@ -0,0 +1,44 @@
 From 1bad5b2ebc2f3cb663ce425b9979b4ec4dce27b2 Mon Sep 17 00:00:00 2001
 From: shixuantong <shixuantong1@huawei.com>
 Date: Thu, 6 Apr 2023 03:30:44 +0000
 Subject: [PATCH] fix CVE-2023-24329
 ---
 Lib/test/test_urlparse.py | 7 +++++++
 Lib/urllib/parse.py       | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)
 diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
 index f42ed9b..b310017 100644
 --- a/Lib/test/test_urlparse.py
 +++ b/Lib/test/test_urlparse.py
@@ -683,6 +683,13 @@ class UrlParseTestCase(unittest.TestCase):
                         else:
                             self.assertEqual(p.scheme, "")
 +    def test_attributes_bad_scheme_CVE_2023_24329(self):
 +        """Check handling of invalid schemes that starts with blank characters."""
 +        for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
 +            url = " https://www.example.net"
 +            p = parse(url)
 +            self.assertEqual(p.scheme, "https")
 +
     def test_attributes_without_netloc(self):
         # This example is straight from RFC 3261.  It looks like it
         # should allow the username, hostname, and port to be filled
 diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
 index bd59852..7eb3ad8 100644
 --- a/Lib/urllib/parse.py
 +++ b/Lib/urllib/parse.py
@@ -454,7 +454,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
     Note that % escapes are not expanded.
     """
 -
 +    url = url.lstrip()
     url, scheme, _coerce_result = _coerce_args(url, scheme)
     for b in _UNSAFE_URL_BYTES_TO_REMOVE:
 -- 
 2.33.0
--- a/python3.spec
+++ b/python3.spec
@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/
 Version: 3.9.9
-Release: 23
+Release: 24
 License: Python-2.0
 %global branchversion 3.9
@ -103,11 +103,13 @@ Patch6009: backport-bpo-42146-Unify-cleanup-in-subprocess_fork_exec-GH-2.patch
 Patch6010: backport-CVE-2022-42919.patch
 Patch6011: backport-CVE-2022-45061.patch
 Patch6012: backport-CVE-2022-37454.patch
 Patch6013: backport-Make-urllib.parse.urlparse-enforce-that-a-scheme-mus.patch
 Patch9000: add-the-sm3-method-for-obtaining-the-salt-value.patch
 Patch9001: python3-Add-sw64-architecture.patch
 Patch9002: Add-loongarch-support.patch
 Patch9003: avoid-usage-of-md5-in-multiprocessing.patch
 Patch9004: fix-CVE-2023-24329.patch
 Provides: python%{branchversion} = %{version}-%{release}
 Provides: python(abi) = %{branchversion}
@ -204,11 +206,13 @@ rm -r Modules/expat
 %patch6010 -p1
 %patch6011 -p1
 %patch6012 -p1
 %patch6013 -p1
 %patch9000 -p1
 %patch9001 -p1
 %patch9002 -p1
 %patch9003 -p1
 %patch9004 -p1
 rm Lib/ensurepip/_bundled/*.whl
 rm configure pyconfig.h.in
@ -832,6 +836,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*
 %changelog
 * Thu Apr 06 2023 shixuantong <shixuantong1@huawei.com>- 3.9.9-24
 - Type:CVE
 - CVE:CVE-2023-24329
 - SUG:NA
 - DESC:fix CVE-2023-24329
 * Mon Mar 13 2023 Chenxi Mao <chenxi.mao@suse.com> - 3.9.9-23
 - Type:enhancement
 - CVE:NA