Startseite Erkunden Hilfe
Anmelden
crispAudio
/
poky
Mirror von git://git.yoctoproject.org/poky
5
0
Fork 0
Dateien Issues 0 Wiki
Struktur: 26ab554fd5
Branches Tags
poky
/
meta
/
recipes-devtools
/
python
/
python3
/
CVE-2019-9636.patch

CVE-2019-9636.patch 6.4 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154 
  1. From b0305339567b64e07df87620e97e4cb99332aef6 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Steve Dower <steve.dower@microsoft.com>
    3. 

  3. Date: Sun, 10 Mar 2019 21:59:24 -0700
    4. 

  4. Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize
    5. 

  5.  to separators (GH-12201) (#12223)
    6. 

  6. 

  7. CVE: CVE-2019-9636
    8. 

  8. Upstream-Status: Backport
    9. 

  9. [https://github.com/python/cpython/commit/c0d95113b070799679bcb9dc49d4960d82e8bb08]
    10. 

  10. 

  11. Signed-off-by: Dan Tran <dantran@microsoft.com>
    12. 

  12. ---
    13. 

  13.  Doc/library/urllib.parse.rst                  | 18 +++++++++++++++
    14. 

  14.  Lib/test/test_urlparse.py                     | 23 +++++++++++++++++++
    15. 

  15.  Lib/urllib/parse.py                           | 17 ++++++++++++++
    16. 

  16.  .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst  |  3 +++
    17. 

  17.  4 files changed, 61 insertions(+)
    18. 

  18.  create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
    19. 

  19. 

  20. diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
    21. 

  21. index 6f722a8897..a4c6b6726e 100644
    22. 

  22. --- a/Doc/library/urllib.parse.rst
    23. 

  23. +++ b/Doc/library/urllib.parse.rst
    24. 

  24. @@ -120,6 +120,11 @@ or on combining URL components into a URL string.
    25. 

  25.     Unmatched square brackets in the :attr:`netloc` attribute will raise a
    26. 

  26.     :exc:`ValueError`.
    27. 

  27.  
    28. 

  28. +   Characters in the :attr:`netloc` attribute that decompose under NFKC
    29. 

  29. +   normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
    30. 

  30. +   ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
    31. 

  31. +   decomposed before parsing, no error will be raised.
    32. 

  32. +
    33. 

  33.     .. versionchanged:: 3.2
    34. 

  34.        Added IPv6 URL parsing capabilities.
    35. 

  35.  
    36. 

  36. @@ -128,6 +133,10 @@ or on combining URL components into a URL string.
    37. 

  37.        false), in accordance with :rfc:`3986`.  Previously, a whitelist of
    38. 

  38.        schemes that support fragments existed.
    39. 

  39.  
    40. 

  40. +   .. versionchanged:: 3.5.7
    41. 

  41. +      Characters that affect netloc parsing under NFKC normalization will
    42. 

  42. +      now raise :exc:`ValueError`.
    43. 

  43. +
    44. 

  44.  
    45. 

  45.  .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace')
    46. 

  46.  
    47. 

  47. @@ -236,6 +245,15 @@ or on combining URL components into a URL string.
    48. 

  48.     Unmatched square brackets in the :attr:`netloc` attribute will raise a
    49. 

  49.     :exc:`ValueError`.
    50. 

  50.  
    51. 

  51. +   Characters in the :attr:`netloc` attribute that decompose under NFKC
    52. 

  52. +   normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
    53. 

  53. +   ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
    54. 

  54. +   decomposed before parsing, no error will be raised.
    55. 

  55. +
    56. 

  56. +   .. versionchanged:: 3.5.7
    57. 

  57. +      Characters that affect netloc parsing under NFKC normalization will
    58. 

  58. +      now raise :exc:`ValueError`.
    59. 

  59. +
    60. 

  60.  
    61. 

  61.  .. function:: urlunsplit(parts)
    62. 

  62.  
    63. 

  63. diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
    64. 

  64. index e2cf1b7e0f..d0420b0e74 100644
    65. 

  65. --- a/Lib/test/test_urlparse.py
    66. 

  66. +++ b/Lib/test/test_urlparse.py
    67. 

  67. @@ -1,3 +1,5 @@
    68. 

  68. +import sys
    69. 

  69. +import unicodedata
    70. 

  70.  import unittest
    71. 

  71.  import urllib.parse
    72. 

  72.  
    73. 

  73. @@ -970,6 +972,27 @@ class UrlParseTestCase(unittest.TestCase):
    74. 

  74.                  expected.append(name)
    75. 

  75.          self.assertCountEqual(urllib.parse.__all__, expected)
    76. 

  76.  
    77. 

  77. +    def test_urlsplit_normalization(self):
    78. 

  78. +        # Certain characters should never occur in the netloc,
    79. 

  79. +        # including under normalization.
    80. 

  80. +        # Ensure that ALL of them are detected and cause an error
    81. 

  81. +        illegal_chars = '/:#?@'
    82. 

  82. +        hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
    83. 

  83. +        denorm_chars = [
    84. 

  84. +            c for c in map(chr, range(128, sys.maxunicode))
    85. 

  85. +            if (hex_chars & set(unicodedata.decomposition(c).split()))
    86. 

  86. +            and c not in illegal_chars
    87. 

  87. +        ]
    88. 

  88. +        # Sanity check that we found at least one such character
    89. 

  89. +        self.assertIn('\u2100', denorm_chars)
    90. 

  90. +        self.assertIn('\uFF03', denorm_chars)
    91. 

  91. +
    92. 

  92. +        for scheme in ["http", "https", "ftp"]:
    93. 

  93. +            for c in denorm_chars:
    94. 

  94. +                url = "{}://netloc{}false.netloc/path".format(scheme, c)
    95. 

  95. +                with self.subTest(url=url, char='{:04X}'.format(ord(c))):
    96. 

  96. +                    with self.assertRaises(ValueError):
    97. 

  97. +                        urllib.parse.urlsplit(url)
    98. 

  98.  
    99. 

  99.  class Utility_Tests(unittest.TestCase):
    100. 

  100.      """Testcase to test the various utility functions in the urllib."""
    101. 

  101. diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
    102. 

  102. index 62e8ddf04b..7ba2b445f5 100644
    103. 

  103. --- a/Lib/urllib/parse.py
    104. 

  104. +++ b/Lib/urllib/parse.py
    105. 

  105. @@ -327,6 +327,21 @@ def _splitnetloc(url, start=0):
    106. 

  106.              delim = min(delim, wdelim)     # use earliest delim position
    107. 

  107.      return url[start:delim], url[delim:]   # return (domain, rest)
    108. 

  108.  
    109. 

  109. +def _checknetloc(netloc):
    110. 

  110. +    if not netloc or not any(ord(c) > 127 for c in netloc):
    111. 

  111. +        return
    112. 

  112. +    # looking for characters like \u2100 that expand to 'a/c'
    113. 

  113. +    # IDNA uses NFKC equivalence, so normalize for this check
    114. 

  114. +    import unicodedata
    115. 

  115. +    netloc2 = unicodedata.normalize('NFKC', netloc)
    116. 

  116. +    if netloc == netloc2:
    117. 

  117. +        return
    118. 

  118. +    _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
    119. 

  119. +    for c in '/?#@:':
    120. 

  120. +        if c in netloc2:
    121. 

  121. +            raise ValueError("netloc '" + netloc2 + "' contains invalid " +
    122. 

  122. +                             "characters under NFKC normalization")
    123. 

  123. +
    124. 

  124.  def urlsplit(url, scheme='', allow_fragments=True):
    125. 

  125.      """Parse a URL into 5 components:
    126. 

  126.      <scheme>://<netloc>/<path>?<query>#<fragment>
    127. 

  127. @@ -356,6 +371,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
    128. 

  128.                  url, fragment = url.split('#', 1)
    129. 

  129.              if '?' in url:
    130. 

  130.                  url, query = url.split('?', 1)
    131. 

  131. +            _checknetloc(netloc)
    132. 

  132.              v = SplitResult(scheme, netloc, url, query, fragment)
    133. 

  133.              _parse_cache[key] = v
    134. 

  134.              return _coerce_result(v)
    135. 

  135. @@ -379,6 +395,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
    136. 

  136.          url, fragment = url.split('#', 1)
    137. 

  137.      if '?' in url:
    138. 

  138.          url, query = url.split('?', 1)
    139. 

  139. +    _checknetloc(netloc)
    140. 

  140.      v = SplitResult(scheme, netloc, url, query, fragment)
    141. 

  141.      _parse_cache[key] = v
    142. 

  142.      return _coerce_result(v)
    143. 

  143. diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
    144. 

  144. new file mode 100644
    145. 

  145. index 0000000000..5546394157
    146. 

  146. --- /dev/null
    147. 

  147. +++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
    148. 

  148. @@ -0,0 +1,3 @@
    149. 

  149. +Changes urlsplit() to raise ValueError when the URL contains characters that
    150. 

  150. +decompose under IDNA encoding (NFKC-normalization) into characters that
    151. 

  151. +affect how the URL is parsed.
    152. 

  152. -- 
    153. 

  153. 2.22.0.vfs.1.1.57.gbaf16c8
    154. 

  154.