From ce3d003c32b156e91e85ac390fe739d32d6fde95 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: May 14 2019 05:23:31 +0000 Subject: Fix handling of pre-normalization characters in urlsplit --- diff --git a/00320-CVE-2019-9636.patch b/00320-CVE-2019-9636.patch index 45a2c8e..8f63675 100644 --- a/00320-CVE-2019-9636.patch +++ b/00320-CVE-2019-9636.patch @@ -148,3 +148,45 @@ index 000000000000..5546394157f9 +Changes urlsplit() to raise ValueError when the URL contains characters that +decompose under IDNA encoding (NFKC-normalization) into characters that +affect how the URL is parsed. +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index 0faf2bb..d0365ec 100644 +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -1011,6 +1011,12 @@ class UrlParseTestCase(unittest.TestCase): + self.assertIn('\u2100', denorm_chars) + self.assertIn('\uFF03', denorm_chars) + ++ # bpo-36742: Verify port separators are ignored when they ++ # existed prior to decomposition ++ urllib.parse.urlsplit('http://\u30d5\u309a:80') ++ with self.assertRaises(ValueError): ++ urllib.parse.urlsplit('http://\u30d5\u309a\ufe1380') ++ + for scheme in ["http", "https", "ftp"]: + for c in denorm_chars: + url = "{}://netloc{}false.netloc/path".format(scheme, c) +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index 8b6c9b1..e2f7b69 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -402,13 +402,16 @@ def _checknetloc(netloc): + # looking for characters like \u2100 that expand to 'a/c' + # IDNA uses NFKC equivalence, so normalize for this check + import unicodedata +- netloc2 = unicodedata.normalize('NFKC', netloc) +- if netloc == netloc2: ++ n = netloc.rpartition('@')[2] # ignore anything to the left of '@' ++ n = n.replace(':', '') # ignore characters already included ++ n = n.replace('#', '') # but not the surrounding text ++ n = n.replace('?', '') ++ netloc2 = unicodedata.normalize('NFKC', n) ++ if n == netloc2: + return +- _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay + for c in '/?#@:': + if c in netloc2: +- raise ValueError("netloc '" + netloc2 + "' contains invalid " + ++ raise ValueError("netloc '" + netloc + "' contains invalid " + + "characters under NFKC normalization") + + def urlsplit(url, scheme='', allow_fragments=True): diff --git a/python3.spec b/python3.spec index dd58233..96c9d9a 100644 --- a/python3.spec +++ b/python3.spec @@ -14,7 +14,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well Version: %{pybasever}.8 -Release: 3%{?dist} +Release: 4%{?dist} License: Python @@ -376,6 +376,9 @@ Patch317: 00317-CVE-2019-5010.patch # 00320 # # Security fix for CVE-2019-9636: Information Disclosure due to urlsplit improper NFKC normalization # Fixed upstream https://bugs.python.org/issue36216 +# Fix handling of pre-normalization characters in urlsplit() +# This fixes a regression introduced by the fix for CVE-2019-9636 +# Fixed upstream: https://bugs.python.org/issue36742 Patch320: 00320-CVE-2019-9636.patch # (New patches go here ^^^) @@ -1590,6 +1593,9 @@ CheckPython optimized # ====================================================== %changelog +* Wed May 08 2019 Charalampos Stratakis - 3.6.8-4 +- Fix handling of pre-normalization characters in urlsplit + * Thu Mar 14 2019 Miro HronĨok - 3.6.8-3 - Security fix for CVE-2019-9636 (#1688543, #1688546)