Message ID | 20230711035329.8882-1-vkumbhar@mvista.com |
---|---|
State | New |
Headers | show |
Series | python3: fix CVE-2023-24329 urllib.parse url blocklisting bypass | expand |
What branch is this for? It doesn’t apply to master, I’m guessing kirkstone? Is the same fix needed for other branches? Ross > On 11 Jul 2023, at 04:53, vkumbhar via lists.openembedded.org <vkumbhar=mvista.com@lists.openembedded.org> wrote: > > Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> > --- > .../python/python3/CVE-2023-24329.patch | 81 +++++++++++++++++++ > .../recipes-devtools/python/python3_3.8.14.bb | 1 + > 2 files changed, 82 insertions(+) > create mode 100644 meta/recipes-devtools/python/python3/CVE-2023-24329.patch > > diff --git a/meta/recipes-devtools/python/python3/CVE-2023-24329.patch b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch > new file mode 100644 > index 0000000000..a0902e7be2 > --- /dev/null > +++ b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch > @@ -0,0 +1,81 @@ > +From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001 > +From: "Miss Islington (bot)" > + <31488909+miss-islington@users.noreply.github.com> > +Date: Sun, 13 Nov 2022 11:00:25 -0800 > +Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme > + must begin with an alphabetical ASCII character. (GH-99421) > + > +Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character. > + > +RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )` > +RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A` > + > +The WHATWG URL spec defines a scheme like this: > +`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."` > +(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7) > + > +Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com> > + > +Upstream-Status: Backport [https://github.com/python/cpython/commit/72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9] > +CVE: CVE-2023-24329 > +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> > +--- > + Lib/test/test_urlparse.py | 18 ++++++++++++++++++ > + Lib/urllib/parse.py | 2 +- > + ...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 ++ > + 3 files changed, 21 insertions(+), 1 deletion(-) > + create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst > + > +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py > +index 0f99130..03b5da1 100644 > +--- a/Lib/test/test_urlparse.py > ++++ b/Lib/test/test_urlparse.py > +@@ -676,6 +676,24 @@ class UrlParseTestCase(unittest.TestCase): > + with self.assertRaises(ValueError): > + p.port > + > ++ def test_attributes_bad_scheme(self): > ++ """Check handling of invalid schemes.""" > ++ for bytes in (False, True): > ++ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse): > ++ for scheme in (".", "+", "-", "0", "http&", "६http"): > ++ with self.subTest(bytes=bytes, parse=parse, scheme=scheme): > ++ url = scheme + "://www.example.net" > ++ if bytes: > ++ if url.isascii(): > ++ url = url.encode("ascii") > ++ else: > ++ continue > ++ p = parse(url) > ++ if bytes: > ++ self.assertEqual(p.scheme, b"") > ++ else: > ++ self.assertEqual(p.scheme, "") > ++ > + def test_attributes_without_netloc(self): > + # This example is straight from RFC 3261. It looks like it > + # should allow the username, hostname, and port to be filled > +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py > +index f0d9d4d..0e388cb 100644 > +--- a/Lib/urllib/parse.py > ++++ b/Lib/urllib/parse.py > +@@ -440,7 +440,7 @@ def urlsplit(url, scheme='', allow_fragments=True): > + clear_cache() > + netloc = query = fragment = '' > + i = url.find(':') > +- if i > 0: > ++ if i > 0 and url[0].isascii() and url[0].isalpha(): > + if url[:i] == 'http': # optimize the common case > + url = url[i+1:] > + if url[:2] == '//': > +diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst > +new file mode 100644 > +index 0000000..0a06e7c > +--- /dev/null > ++++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst > +@@ -0,0 +1,2 @@ > ++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin > ++with a digit, a plus sign, or a minus sign to be parsed incorrectly. > +-- > +2.25.1 > + > diff --git a/meta/recipes-devtools/python/python3_3.8.14.bb b/meta/recipes-devtools/python/python3_3.8.14.bb > index 960e41aced..88ed8f4077 100644 > --- a/meta/recipes-devtools/python/python3_3.8.14.bb > +++ b/meta/recipes-devtools/python/python3_3.8.14.bb > @@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ > file://makerace.patch \ > file://CVE-2022-45061.patch \ > file://CVE-2022-37454.patch \ > + file://CVE-2023-24329.patch \ > " > > SRC_URI_append_class-native = " \ > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#184114): https://lists.openembedded.org/g/openembedded-core/message/184114 > Mute This Topic: https://lists.openembedded.org/mt/100072511/6875888 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ross.burton@arm.com] > -=-=-=-=-=-=-=-=-=-=-=- >
This is for dunfell-nut branch. Kind regards, Vivek On Tue, Jul 11, 2023 at 4:14 PM Ross Burton <ross.burton@arm.com> wrote: > What branch is this for? It doesn’t apply to master, I’m guessing > kirkstone? Is the same fix needed for other branches? > > Ross > > > On 11 Jul 2023, at 04:53, vkumbhar via lists.openembedded.org <vkumbhar= > mvista.com@lists.openembedded.org> wrote: > > > > Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> > > --- > > .../python/python3/CVE-2023-24329.patch | 81 +++++++++++++++++++ > > .../recipes-devtools/python/python3_3.8.14.bb | 1 + > > 2 files changed, 82 insertions(+) > > create mode 100644 > meta/recipes-devtools/python/python3/CVE-2023-24329.patch > > > > diff --git a/meta/recipes-devtools/python/python3/CVE-2023-24329.patch > b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch > > new file mode 100644 > > index 0000000000..a0902e7be2 > > --- /dev/null > > +++ b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch > > @@ -0,0 +1,81 @@ > > +From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001 > > +From: "Miss Islington (bot)" > > + <31488909+miss-islington@users.noreply.github.com> > > +Date: Sun, 13 Nov 2022 11:00:25 -0800 > > +Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a > scheme > > + must begin with an alphabetical ASCII character. (GH-99421) > > + > > +Prevent urllib.parse.urlparse from accepting schemes that don't begin > with an alphabetical ASCII character. > > + > > +RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / > "+" / "-" / "." )` > > +RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A` > > + > > +The WHATWG URL spec defines a scheme like this: > > +`"A URL-scheme string must be one ASCII alpha, followed by zero or more > of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."` > > +(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7) > > + > > +Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com > > > > + > > +Upstream-Status: Backport [ > https://github.com/python/cpython/commit/72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 > ] > > +CVE: CVE-2023-24329 > > +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> > > +--- > > + Lib/test/test_urlparse.py | 18 ++++++++++++++++++ > > + Lib/urllib/parse.py | 2 +- > > + ...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 ++ > > + 3 files changed, 21 insertions(+), 1 deletion(-) > > + create mode 100644 > Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst > > + > > +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py > > +index 0f99130..03b5da1 100644 > > +--- a/Lib/test/test_urlparse.py > > ++++ b/Lib/test/test_urlparse.py > > +@@ -676,6 +676,24 @@ class UrlParseTestCase(unittest.TestCase): > > + with self.assertRaises(ValueError): > > + p.port > > + > > ++ def test_attributes_bad_scheme(self): > > ++ """Check handling of invalid schemes.""" > > ++ for bytes in (False, True): > > ++ for parse in (urllib.parse.urlsplit, > urllib.parse.urlparse): > > ++ for scheme in (".", "+", "-", "0", "http&", "६http"): > > ++ with self.subTest(bytes=bytes, parse=parse, > scheme=scheme): > > ++ url = scheme + "://www.example.net" > > ++ if bytes: > > ++ if url.isascii(): > > ++ url = url.encode("ascii") > > ++ else: > > ++ continue > > ++ p = parse(url) > > ++ if bytes: > > ++ self.assertEqual(p.scheme, b"") > > ++ else: > > ++ self.assertEqual(p.scheme, "") > > ++ > > + def test_attributes_without_netloc(self): > > + # This example is straight from RFC 3261. It looks like it > > + # should allow the username, hostname, and port to be filled > > +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py > > +index f0d9d4d..0e388cb 100644 > > +--- a/Lib/urllib/parse.py > > ++++ b/Lib/urllib/parse.py > > +@@ -440,7 +440,7 @@ def urlsplit(url, scheme='', allow_fragments=True): > > + clear_cache() > > + netloc = query = fragment = '' > > + i = url.find(':') > > +- if i > 0: > > ++ if i > 0 and url[0].isascii() and url[0].isalpha(): > > + if url[:i] == 'http': # optimize the common case > > + url = url[i+1:] > > + if url[:2] == '//': > > +diff --git > a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst > b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst > > +new file mode 100644 > > +index 0000000..0a06e7c > > +--- /dev/null > > ++++ > b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst > > +@@ -0,0 +1,2 @@ > > ++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that > begin > > ++with a digit, a plus sign, or a minus sign to be parsed incorrectly. > > +-- > > +2.25.1 > > + > > diff --git a/meta/recipes-devtools/python/python3_3.8.14.bb > b/meta/recipes-devtools/python/python3_3.8.14.bb > > index 960e41aced..88ed8f4077 100644 > > --- a/meta/recipes-devtools/python/python3_3.8.14.bb > > +++ b/meta/recipes-devtools/python/python3_3.8.14.bb > > @@ -36,6 +36,7 @@ SRC_URI = " > http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ > > file://makerace.patch \ > > file://CVE-2022-45061.patch \ > > file://CVE-2022-37454.patch \ > > + file://CVE-2023-24329.patch \ > > " > > > > SRC_URI_append_class-native = " \ > > -- > > 2.25.1 > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#184124): > https://lists.openembedded.org/g/openembedded-core/message/184124 > Mute This Topic: https://lists.openembedded.org/mt/100072511/7129709 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > vkumbhar@mvista.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
diff --git a/meta/recipes-devtools/python/python3/CVE-2023-24329.patch b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch new file mode 100644 index 0000000000..a0902e7be2 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch @@ -0,0 +1,81 @@ +From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Sun, 13 Nov 2022 11:00:25 -0800 +Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme + must begin with an alphabetical ASCII character. (GH-99421) + +Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character. + +RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )` +RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A` + +The WHATWG URL spec defines a scheme like this: +`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."` +(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7) + +Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com> + +Upstream-Status: Backport [https://github.com/python/cpython/commit/72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9] +CVE: CVE-2023-24329 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + Lib/test/test_urlparse.py | 18 ++++++++++++++++++ + Lib/urllib/parse.py | 2 +- + ...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 ++ + 3 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst + +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index 0f99130..03b5da1 100644 +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -676,6 +676,24 @@ class UrlParseTestCase(unittest.TestCase): + with self.assertRaises(ValueError): + p.port + ++ def test_attributes_bad_scheme(self): ++ """Check handling of invalid schemes.""" ++ for bytes in (False, True): ++ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse): ++ for scheme in (".", "+", "-", "0", "http&", "६http"): ++ with self.subTest(bytes=bytes, parse=parse, scheme=scheme): ++ url = scheme + "://www.example.net" ++ if bytes: ++ if url.isascii(): ++ url = url.encode("ascii") ++ else: ++ continue ++ p = parse(url) ++ if bytes: ++ self.assertEqual(p.scheme, b"") ++ else: ++ self.assertEqual(p.scheme, "") ++ + def test_attributes_without_netloc(self): + # This example is straight from RFC 3261. It looks like it + # should allow the username, hostname, and port to be filled +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index f0d9d4d..0e388cb 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -440,7 +440,7 @@ def urlsplit(url, scheme='', allow_fragments=True): + clear_cache() + netloc = query = fragment = '' + i = url.find(':') +- if i > 0: ++ if i > 0 and url[0].isascii() and url[0].isalpha(): + if url[:i] == 'http': # optimize the common case + url = url[i+1:] + if url[:2] == '//': +diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst +new file mode 100644 +index 0000000..0a06e7c +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst +@@ -0,0 +1,2 @@ ++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin ++with a digit, a plus sign, or a minus sign to be parsed incorrectly. +-- +2.25.1 + diff --git a/meta/recipes-devtools/python/python3_3.8.14.bb b/meta/recipes-devtools/python/python3_3.8.14.bb index 960e41aced..88ed8f4077 100644 --- a/meta/recipes-devtools/python/python3_3.8.14.bb +++ b/meta/recipes-devtools/python/python3_3.8.14.bb @@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://makerace.patch \ file://CVE-2022-45061.patch \ file://CVE-2022-37454.patch \ + file://CVE-2023-24329.patch \ " SRC_URI_append_class-native = " \
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> --- .../python/python3/CVE-2023-24329.patch | 81 +++++++++++++++++++ .../recipes-devtools/python/python3_3.8.14.bb | 1 + 2 files changed, 82 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2023-24329.patch