File: CVE-2019-10160-1.diff

package info (click to toggle)
python3.7 3.7.3-2%2Bdeb10u3
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 92,344 kB
  • sloc: python: 547,375; ansic: 419,805; sh: 4,593; cpp: 3,449; makefile: 1,772; asm: 1,602; objc: 761; lisp: 502; pascal: 341; javascript: 313; xml: 76; csh: 21
file content (59 lines) | stat: -rw-r--r-- 2,682 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
 
From 4d723e76e1ad17e9e7d5e828e59bb47e76f2174b Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
Date: Tue, 30 Apr 2019 05:21:02 -0700
Subject: [PATCH] bpo-36742: Fixes handling of pre-normalization characters in
 urlsplit() (GH-13017)

(cherry picked from commit d537ab0ff9767ef024f26246899728f0116b1ec3)

Co-authored-by: Steve Dower <steve.dower@python.org>
---
 Lib/test/test_urlparse.py                             |  6 ++++++
 Lib/urllib/parse.py                                   | 11 +++++++----
 .../Security/2019-04-29-15-34-59.bpo-36742.QCUY0i.rst |  1 +
 3 files changed, 14 insertions(+), 4 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2019-04-29-15-34-59.bpo-36742.QCUY0i.rst

diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
index e6638aee2244..c26235449461 100644
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -1001,6 +1001,12 @@ def test_urlsplit_normalization(self):
         self.assertIn('\u2100', denorm_chars)
         self.assertIn('\uFF03', denorm_chars)
 
+        # bpo-36742: Verify port separators are ignored when they
+        # existed prior to decomposition
+        urllib.parse.urlsplit('http://\u30d5\u309a:80')
+        with self.assertRaises(ValueError):
+            urllib.parse.urlsplit('http://\u30d5\u309a\ufe1380')
+
         for scheme in ["http", "https", "ftp"]:
             for c in denorm_chars:
                 url = "{}://netloc{}false.netloc/path".format(scheme, c)
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
index 1eec26e0f1f3..f5b3487ea9d6 100644
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -397,13 +397,16 @@ def _checknetloc(netloc):
     # looking for characters like \u2100 that expand to 'a/c'
     # IDNA uses NFKC equivalence, so normalize for this check
     import unicodedata
-    netloc2 = unicodedata.normalize('NFKC', netloc)
-    if netloc == netloc2:
+    n = netloc.rpartition('@')[2] # ignore anything to the left of '@'
+    n = n.replace(':', '')        # ignore characters already included
+    n = n.replace('#', '')        # but not the surrounding text
+    n = n.replace('?', '')
+    netloc2 = unicodedata.normalize('NFKC', n)
+    if n == netloc2:
         return
-    _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
     for c in '/?#@:':
         if c in netloc2:
-            raise ValueError("netloc '" + netloc2 + "' contains invalid " +
+            raise ValueError("netloc '" + netloc + "' contains invalid " +
                              "characters under NFKC normalization")
 
 def urlsplit(url, scheme='', allow_fragments=True):