Fix handling of pre-normalization characters in urlsplit

2019-05-07 12:49:35 +02:00 · 2019-05-07 12:49:35 +02:00 · 1b92cc7981
parent 0bee54773d
commit 1b92cc7981
2 changed files with 53 additions and 1 deletions
--- a/00320-fix-pre-normalization-chars-in-urlsplit.patch
+++ b/00320-fix-pre-normalization-chars-in-urlsplit.patch
@ -0,0 +1,42 @@
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 0faf2bb..d0365ec 100644
+--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
+@@ -1011,6 +1011,12 @@ class UrlParseTestCase(unittest.TestCase):
+         self.assertIn('\u2100', denorm_chars)
+         self.assertIn('\uFF03', denorm_chars)
+ 
+        # bpo-36742: Verify port separators are ignored when they
+        # existed prior to decomposition
+        urllib.parse.urlsplit('http://\u30d5\u309a:80')
+        with self.assertRaises(ValueError):
+            urllib.parse.urlsplit('http://\u30d5\u309a\ufe1380')
+
+         for scheme in ["http", "https", "ftp"]:
+             for c in denorm_chars:
+                 url = "{}://netloc{}false.netloc/path".format(scheme, c)
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 8b6c9b1..e2f7b69 100644
+--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
+@@ -402,13 +402,16 @@ def _checknetloc(netloc):
+     # looking for characters like \u2100 that expand to 'a/c'
+     # IDNA uses NFKC equivalence, so normalize for this check
+     import unicodedata
+-    netloc2 = unicodedata.normalize('NFKC', netloc)
+-    if netloc == netloc2:
+    n = netloc.rpartition('@')[2] # ignore anything to the left of '@'
+    n = n.replace(':', '')        # ignore characters already included
+    n = n.replace('#', '')        # but not the surrounding text
+    n = n.replace('?', '')
+    netloc2 = unicodedata.normalize('NFKC', n)
+    if n == netloc2:
+         return
+-    _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
+     for c in '/?#@:':
+         if c in netloc2:
+-            raise ValueError("netloc '" + netloc2 + "' contains invalid " +
+            raise ValueError("netloc '" + netloc + "' contains invalid " +
+                              "characters under NFKC normalization")
+ 
+ def urlsplit(url, scheme='', allow_fragments=True):
--- a/python3.spec
+++ b/python3.spec
@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: Python


@ -282,6 +282,12 @@ Patch274: 00274-fix-arch-names.patch
 # So we mark the command as unsupported - and the tests are skipped
 Patch316: 00316-mark-bdist_wininst-unsupported.patch

+# 00320 #
+# Fix handling of pre-normalization characters in urlsplit()
+# This fixes a regression introduced by the fix for CVE-2019-9636
+# Fixed upstream: https://bugs.python.org/issue36742
+Patch320: 00320-fix-pre-normalization-chars-in-urlsplit.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -575,6 +581,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch251 -p1
 %patch274 -p1
 %patch316 -p1
+%patch320 -p1


 # Remove files that should be generated by the build
@ -1494,6 +1501,9 @@ CheckPython optimized
 # ======================================================

 %changelog
+* Tue May 07 2019 Charalampos Stratakis <cstratak@redhat.com> - 3.7.3-3
+- Fix handling of pre-normalization characters in urlsplit
+
 * Wed Apr 17 2019 Patrik Kopkan <pkopkan@redhat.com> - 3.7.3-2
 - Makes man python3.7m show python3.7 man pages (#1612241)