File: CVE-2019-10160-2.diff

package info (click to toggle)
python3.7 3.7.3-2%2Bdeb10u3
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 92,344 kB
  • sloc: python: 547,375; ansic: 419,805; sh: 4,593; cpp: 3,449; makefile: 1,772; asm: 1,602; objc: 761; lisp: 502; pascal: 341; javascript: 313; xml: 76; csh: 21
file content (54 lines) | stat: -rw-r--r-- 2,501 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
 
From 250b62acc59921d399f0db47db3b462cd6037e09 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
Date: Tue, 4 Jun 2019 09:15:13 -0700
Subject: [PATCH] bpo-36742: Corrects fix to handle decomposition in usernames
 (GH-13812)

(cherry picked from commit 8d0ef0b5edeae52960c7ed05ae8a12388324f87e)

Co-authored-by: Steve Dower <steve.dower@python.org>
---
 Lib/test/test_urlparse.py | 11 ++++++-----
 Lib/urllib/parse.py       |  6 +++---
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
index c26235449461..68f633ca3a7d 100644
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -1008,11 +1008,12 @@ def test_urlsplit_normalization(self):
             urllib.parse.urlsplit('http://\u30d5\u309a\ufe1380')
 
         for scheme in ["http", "https", "ftp"]:
-            for c in denorm_chars:
-                url = "{}://netloc{}false.netloc/path".format(scheme, c)
-                with self.subTest(url=url, char='{:04X}'.format(ord(c))):
-                    with self.assertRaises(ValueError):
-                        urllib.parse.urlsplit(url)
+            for netloc in ["netloc{}false.netloc", "n{}user@netloc"]:
+                for c in denorm_chars:
+                    url = "{}://{}/path".format(scheme, netloc.format(c))
+                    with self.subTest(url=url, char='{:04X}'.format(ord(c))):
+                        with self.assertRaises(ValueError):
+                            urllib.parse.urlsplit(url)
 
 class Utility_Tests(unittest.TestCase):
     """Testcase to test the various utility functions in the urllib."""
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
index f5b3487ea9d6..4c8e77fe3912 100644
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -397,9 +397,9 @@ def _checknetloc(netloc):
     # looking for characters like \u2100 that expand to 'a/c'
     # IDNA uses NFKC equivalence, so normalize for this check
     import unicodedata
-    n = netloc.rpartition('@')[2] # ignore anything to the left of '@'
-    n = n.replace(':', '')        # ignore characters already included
-    n = n.replace('#', '')        # but not the surrounding text
+    n = netloc.replace('@', '')   # ignore characters already included
+    n = n.replace(':', '')        # but not the surrounding text
+    n = n.replace('#', '')
     n = n.replace('?', '')
     netloc2 = unicodedata.normalize('NFKC', n)
     if n == netloc2: