Fix handling of pre-normalization characters in urlsplit
This commit is contained in:
parent
0bee54773d
commit
1b92cc7981
|
@ -0,0 +1,42 @@
|
|||
diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
|
||||
index 0faf2bb..d0365ec 100644
|
||||
--- a/Lib/test/test_urlparse.py
|
||||
+++ b/Lib/test/test_urlparse.py
|
||||
@@ -1011,6 +1011,12 @@ class UrlParseTestCase(unittest.TestCase):
|
||||
self.assertIn('\u2100', denorm_chars)
|
||||
self.assertIn('\uFF03', denorm_chars)
|
||||
|
||||
+ # bpo-36742: Verify port separators are ignored when they
|
||||
+ # existed prior to decomposition
|
||||
+ urllib.parse.urlsplit('http://\u30d5\u309a:80')
|
||||
+ with self.assertRaises(ValueError):
|
||||
+ urllib.parse.urlsplit('http://\u30d5\u309a\ufe1380')
|
||||
+
|
||||
for scheme in ["http", "https", "ftp"]:
|
||||
for c in denorm_chars:
|
||||
url = "{}://netloc{}false.netloc/path".format(scheme, c)
|
||||
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
|
||||
index 8b6c9b1..e2f7b69 100644
|
||||
--- a/Lib/urllib/parse.py
|
||||
+++ b/Lib/urllib/parse.py
|
||||
@@ -402,13 +402,16 @@ def _checknetloc(netloc):
|
||||
# looking for characters like \u2100 that expand to 'a/c'
|
||||
# IDNA uses NFKC equivalence, so normalize for this check
|
||||
import unicodedata
|
||||
- netloc2 = unicodedata.normalize('NFKC', netloc)
|
||||
- if netloc == netloc2:
|
||||
+ n = netloc.rpartition('@')[2] # ignore anything to the left of '@'
|
||||
+ n = n.replace(':', '') # ignore characters already included
|
||||
+ n = n.replace('#', '') # but not the surrounding text
|
||||
+ n = n.replace('?', '')
|
||||
+ netloc2 = unicodedata.normalize('NFKC', n)
|
||||
+ if n == netloc2:
|
||||
return
|
||||
- _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
|
||||
for c in '/?#@:':
|
||||
if c in netloc2:
|
||||
- raise ValueError("netloc '" + netloc2 + "' contains invalid " +
|
||||
+ raise ValueError("netloc '" + netloc + "' contains invalid " +
|
||||
"characters under NFKC normalization")
|
||||
|
||||
def urlsplit(url, scheme='', allow_fragments=True):
|
12
python3.spec
12
python3.spec
|
@ -17,7 +17,7 @@ URL: https://www.python.org/
|
|||
#global prerel ...
|
||||
%global upstream_version %{general_version}%{?prerel}
|
||||
Version: %{general_version}%{?prerel:~%{prerel}}
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: Python
|
||||
|
||||
|
||||
|
@ -282,6 +282,12 @@ Patch274: 00274-fix-arch-names.patch
|
|||
# So we mark the command as unsupported - and the tests are skipped
|
||||
Patch316: 00316-mark-bdist_wininst-unsupported.patch
|
||||
|
||||
# 00320 #
|
||||
# Fix handling of pre-normalization characters in urlsplit()
|
||||
# This fixes a regression introduced by the fix for CVE-2019-9636
|
||||
# Fixed upstream: https://bugs.python.org/issue36742
|
||||
Patch320: 00320-fix-pre-normalization-chars-in-urlsplit.patch
|
||||
|
||||
# (New patches go here ^^^)
|
||||
#
|
||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||
|
@ -575,6 +581,7 @@ rm Lib/ensurepip/_bundled/*.whl
|
|||
%patch251 -p1
|
||||
%patch274 -p1
|
||||
%patch316 -p1
|
||||
%patch320 -p1
|
||||
|
||||
|
||||
# Remove files that should be generated by the build
|
||||
|
@ -1494,6 +1501,9 @@ CheckPython optimized
|
|||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Tue May 07 2019 Charalampos Stratakis <cstratak@redhat.com> - 3.7.3-3
|
||||
- Fix handling of pre-normalization characters in urlsplit
|
||||
|
||||
* Wed Apr 17 2019 Patrik Kopkan <pkopkan@redhat.com> - 3.7.3-2
|
||||
- Makes man python3.7m show python3.7 man pages (#1612241)
|
||||
|
||||
|
|
Loading…
Reference in New Issue