File _service:tar_scm:CVE-2022-36033.patch of Package jsoup

From 4ea768d96b3d232e63edef9594766d44597b3882 Mon Sep 17 00:00:00 2001
From: Jonathan Hedley <jonathan@hedley.net>
Date: Sun, 21 Aug 2022 14:04:56 +1000
Subject: [PATCH] Strip control characters from URLs when resolving absolute
 URLs

---
 .../java/org/jsoup/internal/StringUtil.java    | 10 +++++++++-
 .../org/jsoup/internal/StringUtilTest.java     |  9 +++++++++
 .../java/org/jsoup/safety/CleanerTest.java     | 18 ++++++++++++++++++
 3 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/jsoup/internal/StringUtil.java b/src/main/java/org/jsoup/internal/StringUtil.java
index 0835225..608e96d 100644
--- a/src/main/java/org/jsoup/internal/StringUtil.java
+++ b/src/main/java/org/jsoup/internal/StringUtil.java
@@ -269,6 +269,7 @@ public final class StringUtil {
      * @throws MalformedURLException if an error occurred generating the URL
      */
     public static URL resolve(URL base, String relUrl) throws MalformedURLException {
+        relUrl = stripControlChars(relUrl);
         // workaround: java resolves '//path/file + ?foo' to '//path/?foo', not '//path/file?foo' as desired
         if (relUrl.startsWith("?"))
             relUrl = base.getPath() + relUrl;
@@ -287,7 +288,9 @@ public final class StringUtil {
      * @param relUrl the relative URL to resolve. (If it's already absolute, it will be returned)
      * @return an absolute URL if one was able to be generated, or the empty string if not
      */
-    public static String resolve(final String baseUrl, final String relUrl) {
+    public static String resolve(String baseUrl, String relUrl) {
+        // workaround: java will allow control chars in a path URL and may treat as relative, but Chrome / Firefox will strip and may see as a scheme. Normalize to browser's view.
+        baseUrl = stripControlChars(baseUrl); relUrl = stripControlChars(relUrl);
         try {
             URL base;
             try {
@@ -306,6 +309,11 @@ public final class StringUtil {
     }
     private static final Pattern validUriScheme = Pattern.compile("^[a-zA-Z][a-zA-Z0-9+-.]*:");
 
+    private static final Pattern controlChars = Pattern.compile("[\\x00-\\x1f]*"); // matches ascii 0 - 31, to strip from url
+    private static String stripControlChars(final String input) {
+        return controlChars.matcher(input).replaceAll("");
+    }
+
     private static final ThreadLocal<Stack<StringBuilder>> threadLocalBuilders = new ThreadLocal<Stack<StringBuilder>>() {
         @Override
         protected Stack<StringBuilder> initialValue() {
diff --git a/src/test/java/org/jsoup/internal/StringUtilTest.java b/src/test/java/org/jsoup/internal/StringUtilTest.java
index 1956084..9ffcec9 100644
--- a/src/test/java/org/jsoup/internal/StringUtilTest.java
+++ b/src/test/java/org/jsoup/internal/StringUtilTest.java
@@ -120,6 +120,15 @@ public class StringUtilTest {
         assertEquals("http://example.com/b/c/g#s/../x", resolve("http://example.com/b/c/d;p?q", "g#s/../x"));
     }
 
+    @Test void stripsControlCharsFromUrls() {
+        // should resovle to an absolute url:
+        assertEquals("foo:bar", resolve("\nhttps://\texample.com/", "\r\nfo\to:ba\br"));
+    }
+
+    @Test void allowsSpaceInUrl() {
+        assertEquals("https://example.com/foo bar/", resolve("HTTPS://example.com/example/", "../foo bar/"));
+    }
+
     @Test
     void isAscii() {
         assertTrue(StringUtil.isAscii(""));
diff --git a/src/test/java/org/jsoup/safety/CleanerTest.java b/src/test/java/org/jsoup/safety/CleanerTest.java
index 3338054..0e62f17 100644
--- a/src/test/java/org/jsoup/safety/CleanerTest.java
+++ b/src/test/java/org/jsoup/safety/CleanerTest.java
@@ -309,6 +309,24 @@ public class CleanerTest {
         assertEquals("<a rel=\"nofollow\">Clean</a>", clean);
     }
 
+    @Test void dropsConcealedJavascriptProtocolWhenRelativesLinksEnabled() {
+        Safelist safelist = Safelist.basic().preserveRelativeLinks(true);
+        String html = "<a href=\"&#0013;ja&Tab;va&Tab;script&#0010;:alert(1)\">Link</a>";
+        String clean = Jsoup.clean(html, "https://", safelist);
+        assertEquals("<a rel=\"nofollow\">Link</a>", clean);
+
+        String colon = "<a href=\"ja&Tab;va&Tab;script&colon;alert(1)\">Link</a>";
+        String cleanColon = Jsoup.clean(colon, "https://", safelist);
+        assertEquals("<a rel=\"nofollow\">Link</a>", cleanColon);
+    }
+
+    @Test void dropsConcealedJavascriptProtocolWhenRelativesLinksDisabled() {
+        Safelist safelist = Safelist.basic().preserveRelativeLinks(false);
+        String html = "<a href=\"ja&Tab;vas&#0013;cript:alert(1)\">Link</a>";
+        String clean = Jsoup.clean(html, "https://", safelist);
+        assertEquals("<a rel=\"nofollow\">Link</a>", clean);
+    }
+
     @Test public void handlesNoHrefAttribute() {
         String dirty = "<a>One</a> <a href>Two</a>";
         Safelist relaxedWithAnchor = Safelist.relaxed().addProtocols("a", "href", "#");
-- 
2.33.0