Change-Id: I57980b1478a2a2a6373a4ae3712eb98e3214ff4c
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6859
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,138 @@ |
0 |
+commit c0d95113b070799679bcb9dc49d4960d82e8bb08 |
|
1 |
+Author: Steve Dower <steve.dower@microsoft.com> |
|
2 |
+Date: Sun Mar 10 21:59:24 2019 -0700 |
|
3 |
+ |
|
4 |
+ bpo-36216: Add check for characters in netloc that normalize to separators (GH-12201) (#12223) |
|
5 |
+ |
|
6 |
+diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst |
|
7 |
+index 6f722a8..a4c6b67 100644 |
|
8 |
+--- a/Doc/library/urllib.parse.rst |
|
9 |
+@@ -120,6 +120,11 @@ or on combining URL components into a URL string. |
|
10 |
+ Unmatched square brackets in the :attr:`netloc` attribute will raise a |
|
11 |
+ :exc:`ValueError`. |
|
12 |
+ |
|
13 |
++ Characters in the :attr:`netloc` attribute that decompose under NFKC |
|
14 |
++ normalization (as used by the IDNA encoding) into any of ``/``, ``?``, |
|
15 |
++ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is |
|
16 |
++ decomposed before parsing, no error will be raised. |
|
17 |
++ |
|
18 |
+ .. versionchanged:: 3.2 |
|
19 |
+ Added IPv6 URL parsing capabilities. |
|
20 |
+ |
|
21 |
+@@ -128,6 +133,10 @@ or on combining URL components into a URL string. |
|
22 |
+ false), in accordance with :rfc:`3986`. Previously, a whitelist of |
|
23 |
+ schemes that support fragments existed. |
|
24 |
+ |
|
25 |
++ .. versionchanged:: 3.5.7 |
|
26 |
++ Characters that affect netloc parsing under NFKC normalization will |
|
27 |
++ now raise :exc:`ValueError`. |
|
28 |
++ |
|
29 |
+ |
|
30 |
+ .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace') |
|
31 |
+ |
|
32 |
+@@ -236,6 +245,15 @@ or on combining URL components into a URL string. |
|
33 |
+ Unmatched square brackets in the :attr:`netloc` attribute will raise a |
|
34 |
+ :exc:`ValueError`. |
|
35 |
+ |
|
36 |
++ Characters in the :attr:`netloc` attribute that decompose under NFKC |
|
37 |
++ normalization (as used by the IDNA encoding) into any of ``/``, ``?``, |
|
38 |
++ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is |
|
39 |
++ decomposed before parsing, no error will be raised. |
|
40 |
++ |
|
41 |
++ .. versionchanged:: 3.5.7 |
|
42 |
++ Characters that affect netloc parsing under NFKC normalization will |
|
43 |
++ now raise :exc:`ValueError`. |
|
44 |
++ |
|
45 |
+ |
|
46 |
+ .. function:: urlunsplit(parts) |
|
47 |
+ |
|
48 |
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py |
|
49 |
+index e2cf1b7..d0420b0 100644 |
|
50 |
+--- a/Lib/test/test_urlparse.py |
|
51 |
+@@ -1,3 +1,5 @@ |
|
52 |
++import sys |
|
53 |
++import unicodedata |
|
54 |
+ import unittest |
|
55 |
+ import urllib.parse |
|
56 |
+ |
|
57 |
+@@ -970,6 +972,27 @@ class UrlParseTestCase(unittest.TestCase): |
|
58 |
+ expected.append(name) |
|
59 |
+ self.assertCountEqual(urllib.parse.__all__, expected) |
|
60 |
+ |
|
61 |
++ def test_urlsplit_normalization(self): |
|
62 |
++ # Certain characters should never occur in the netloc, |
|
63 |
++ # including under normalization. |
|
64 |
++ # Ensure that ALL of them are detected and cause an error |
|
65 |
++ illegal_chars = '/:#?@' |
|
66 |
++ hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars} |
|
67 |
++ denorm_chars = [ |
|
68 |
++ c for c in map(chr, range(128, sys.maxunicode)) |
|
69 |
++ if (hex_chars & set(unicodedata.decomposition(c).split())) |
|
70 |
++ and c not in illegal_chars |
|
71 |
++ ] |
|
72 |
++ # Sanity check that we found at least one such character |
|
73 |
++ self.assertIn('\u2100', denorm_chars) |
|
74 |
++ self.assertIn('\uFF03', denorm_chars) |
|
75 |
++ |
|
76 |
++ for scheme in ["http", "https", "ftp"]: |
|
77 |
++ for c in denorm_chars: |
|
78 |
++ url = "{}://netloc{}false.netloc/path".format(scheme, c) |
|
79 |
++ with self.subTest(url=url, char='{:04X}'.format(ord(c))): |
|
80 |
++ with self.assertRaises(ValueError): |
|
81 |
++ urllib.parse.urlsplit(url) |
|
82 |
+ |
|
83 |
+ class Utility_Tests(unittest.TestCase): |
|
84 |
+ """Testcase to test the various utility functions in the urllib.""" |
|
85 |
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py |
|
86 |
+index 62e8ddf..7ba2b44 100644 |
|
87 |
+--- a/Lib/urllib/parse.py |
|
88 |
+@@ -327,6 +327,21 @@ def _splitnetloc(url, start=0): |
|
89 |
+ delim = min(delim, wdelim) # use earliest delim position |
|
90 |
+ return url[start:delim], url[delim:] # return (domain, rest) |
|
91 |
+ |
|
92 |
++def _checknetloc(netloc): |
|
93 |
++ if not netloc or not any(ord(c) > 127 for c in netloc): |
|
94 |
++ return |
|
95 |
++ # looking for characters like \u2100 that expand to 'a/c' |
|
96 |
++ # IDNA uses NFKC equivalence, so normalize for this check |
|
97 |
++ import unicodedata |
|
98 |
++ netloc2 = unicodedata.normalize('NFKC', netloc) |
|
99 |
++ if netloc == netloc2: |
|
100 |
++ return |
|
101 |
++ _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay |
|
102 |
++ for c in '/?#@:': |
|
103 |
++ if c in netloc2: |
|
104 |
++ raise ValueError("netloc '" + netloc2 + "' contains invalid " + |
|
105 |
++ "characters under NFKC normalization") |
|
106 |
++ |
|
107 |
+ def urlsplit(url, scheme='', allow_fragments=True): |
|
108 |
+ """Parse a URL into 5 components: |
|
109 |
+ <scheme>://<netloc>/<path>?<query>#<fragment> |
|
110 |
+@@ -356,6 +371,7 @@ def urlsplit(url, scheme='', allow_fragments=True): |
|
111 |
+ url, fragment = url.split('#', 1) |
|
112 |
+ if '?' in url: |
|
113 |
+ url, query = url.split('?', 1) |
|
114 |
++ _checknetloc(netloc) |
|
115 |
+ v = SplitResult(scheme, netloc, url, query, fragment) |
|
116 |
+ _parse_cache[key] = v |
|
117 |
+ return _coerce_result(v) |
|
118 |
+@@ -379,6 +395,7 @@ def urlsplit(url, scheme='', allow_fragments=True): |
|
119 |
+ url, fragment = url.split('#', 1) |
|
120 |
+ if '?' in url: |
|
121 |
+ url, query = url.split('?', 1) |
|
122 |
++ _checknetloc(netloc) |
|
123 |
+ v = SplitResult(scheme, netloc, url, query, fragment) |
|
124 |
+ _parse_cache[key] = v |
|
125 |
+ return _coerce_result(v) |
|
126 |
+diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst |
|
127 |
+new file mode 100644 |
|
128 |
+index 0000000..5546394 |
|
129 |
+--- /dev/null |
|
130 |
+@@ -0,0 +1,3 @@ |
|
131 |
++Changes urlsplit() to raise ValueError when the URL contains characters that |
|
132 |
++decompose under IDNA encoding (NFKC-normalization) into characters that |
|
133 |
++affect how the URL is parsed. |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: A high-level scripting language |
2 | 2 |
Name: python3 |
3 | 3 |
Version: 3.5.6 |
4 |
-Release: 3%{?dist} |
|
4 |
+Release: 4%{?dist} |
|
5 | 5 |
License: PSF |
6 | 6 |
URL: http://www.python.org/ |
7 | 7 |
Group: System Environment/Programming |
... | ... |
@@ -16,6 +16,7 @@ Patch4: python3-CVE-2017-18207.patch |
16 | 16 |
Patch5: python3-CVE-2018-1061.patch |
17 | 17 |
Patch6: python3-CVE-2018-14647.patch |
18 | 18 |
Patch7: python3-CVE-2018-20406.patch |
19 |
+Patch8: python3-CVE-2019-9636.patch |
|
19 | 20 |
BuildRequires: pkg-config >= 0.28 |
20 | 21 |
BuildRequires: bzip2-devel |
21 | 22 |
BuildRequires: ncurses-devel >= 6.0-3 |
... | ... |
@@ -99,6 +100,7 @@ to build python programs. |
99 | 99 |
%patch5 -p1 |
100 | 100 |
%patch6 -p1 |
101 | 101 |
%patch7 -p1 |
102 |
+%patch8 -p1 |
|
102 | 103 |
|
103 | 104 |
%build |
104 | 105 |
export OPT="${CFLAGS}" |
... | ... |
@@ -203,6 +205,8 @@ rm -rf %{buildroot}/* |
203 | 203 |
%{_bindir}/idle* |
204 | 204 |
|
205 | 205 |
%changelog |
206 |
+* Wed Mar 13 2019 Tapas Kundu <tkundu@vmware.com> 3.5.6-4 |
|
207 |
+- Fix for CVE-2019-9636 |
|
206 | 208 |
* Mon Feb 11 2019 Tapas Kundu <tkundu@vmware.com> 3.5.6-3 |
207 | 209 |
- Fix for CVE-2018-20406 |
208 | 210 |
* Mon Dec 31 2018 Tapas Kundu <tkundu@vmware.com> 3.5.6-2 |