Projects
Mega:23.03
python3
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 3
View file
_service:tar_scm:python3.spec
Changed
@@ -3,7 +3,7 @@ URL: https://www.python.org/ Version: 3.10.9 -Release: 2 +Release: 3 License: Python-2.0 %global branchversion 3.10 @@ -87,8 +87,10 @@ Patch1: 00001-rpath.patch Patch251: 00251-change-user-install-location.patch +Patch6000: backport-Make-urllib.parse.urlparse-enforce-that-a-scheme-mus.patch Patch9000: add-the-sm3-method-for-obtaining-the-salt-value.patch +Patch9001: fix-CVE-2023-24329.patch Provides: python%{branchversion} = %{version}-%{release} Provides: python(abi) = %{branchversion} @@ -182,8 +184,10 @@ %patch1 -p1 %patch251 -p1 +%patch6000 -p1 %patch9000 -p1 +%patch9001 -p1 %build autoconf @@ -800,6 +804,12 @@ %{_mandir}/*/* %changelog +* Thu Apr 06 2023 shixuantong <shixuantong1@huawei.com> - 3.10.9-3 +- Type:CVE +- CVE:CVE-2023-24329 +- SUG:NA +- DESC:fix CVE-2023-24329 + * Mon Mar 13 2023 Chenxi Mao <chenxi.mao@suse.com> - 3.10.9-2 - Type:enhancement - CVE:NA
View file
_service:tar_scm:backport-Make-urllib.parse.urlparse-enforce-that-a-scheme-mus.patch
Added
@@ -0,0 +1,73 @@ +From 439b9cfaf43080e91c4ad69f312f21fa098befc7 Mon Sep 17 00:00:00 2001 +From: Ben Kallus <49924171+kenballus@users.noreply.github.com> +Date: Sun, 13 Nov 2022 18:25:55 +0000 +Subject: PATCH gh-99418: Make urllib.parse.urlparse enforce that a scheme + must begin with an alphabetical ASCII character. (#99421) + +Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character. + +RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )` +RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A` + +The WHATWG URL spec defines a scheme like this: +`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."` +--- + Lib/test/test_urlparse.py | 18 ++++++++++++++++++ + Lib/urllib/parse.py | 2 +- + ...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 ++ + 3 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst + +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index 31943f3..f42ed9b 100644 +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -665,6 +665,24 @@ class UrlParseTestCase(unittest.TestCase): + with self.assertRaises(ValueError): + p.port + ++ def test_attributes_bad_scheme(self): ++ """Check handling of invalid schemes.""" ++ for bytes in (False, True): ++ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse): ++ for scheme in (".", "+", "-", "0", "http&", "६http"): ++ with self.subTest(bytes=bytes, parse=parse, scheme=scheme): ++ url = scheme + "://www.example.net" ++ if bytes: ++ if url.isascii(): ++ url = url.encode("ascii") ++ else: ++ continue ++ p = parse(url) ++ if bytes: ++ self.assertEqual(p.scheme, b"") ++ else: ++ self.assertEqual(p.scheme, "") ++ + def test_attributes_without_netloc(self): + # This example is straight from RFC 3261. It looks like it + # should allow the username, hostname, and port to be filled +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index b7965fe..bd59852 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -470,7 +470,7 @@ def urlsplit(url, scheme='', allow_fragments=True): + clear_cache() + netloc = query = fragment = '' + i = url.find(':') +- if i > 0: ++ if i > 0 and url0.isascii() and url0.isalpha(): + for c in url:i: + if c not in scheme_chars: + break +diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst +new file mode 100644 +index 0000000..0a06e7c +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst +@@ -0,0 +1,2 @@ ++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin ++with a digit, a plus sign, or a minus sign to be parsed incorrectly. +-- +2.33.0 +
View file
_service:tar_scm:fix-CVE-2023-24329.patch
Added
@@ -0,0 +1,44 @@ +From 1bad5b2ebc2f3cb663ce425b9979b4ec4dce27b2 Mon Sep 17 00:00:00 2001 +From: shixuantong <shixuantong1@huawei.com> +Date: Thu, 6 Apr 2023 03:30:44 +0000 +Subject: PATCH fix CVE-2023-24329 + +--- + Lib/test/test_urlparse.py | 7 +++++++ + Lib/urllib/parse.py | 2 +- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index f42ed9b..b310017 100644 +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -683,6 +683,13 @@ class UrlParseTestCase(unittest.TestCase): + else: + self.assertEqual(p.scheme, "") + ++ def test_attributes_bad_scheme_CVE_2023_24329(self): ++ """Check handling of invalid schemes that starts with blank characters.""" ++ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse): ++ url = " https://www.example.net" ++ p = parse(url) ++ self.assertEqual(p.scheme, "https") ++ + def test_attributes_without_netloc(self): + # This example is straight from RFC 3261. It looks like it + # should allow the username, hostname, and port to be filled +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index bd59852..7eb3ad8 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -454,7 +454,7 @@ def urlsplit(url, scheme='', allow_fragments=True): + + Note that % escapes are not expanded. + """ +- ++ url = url.lstrip() + url, scheme, _coerce_result = _coerce_args(url, scheme) + + for b in _UNSAFE_URL_BYTES_TO_REMOVE: +-- +2.33.0 +
View file
_constraints
Added
@@ -0,0 +1,3 @@ +<constraints> + <sandbox>qemu</sandbox> +</constraints>
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2