-
-
Notifications
You must be signed in to change notification settings - Fork 30.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[3.7] gh-102153: Start stripping C0 control and space chars in `urlsp…
…lit` (GH-104896) `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595. This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329). (cherry picked from commit d7f8a5f) (cherry picked from commit 2f630e1) (cherry picked from commit 610cc0a) (cherry picked from commit f48a96a) Co-authored-by: Miss Islington (bot) <[email protected]> Co-authored-by: Illia Volochii <[email protected]> Co-authored-by: Gregory P. Smith [Google] <[email protected]>
- Loading branch information
1 parent
de108bc
commit d28bafa
Showing
4 changed files
with
111 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -660,14 +660,73 @@ def test_urlsplit_remove_unsafe_bytes(self): | |
self.assertEqual(p.scheme, "https") | ||
self.assertEqual(p.geturl(), "https://www.python.org/javascript:alert('msg')/?query=something#fragment") | ||
|
||
def test_urlsplit_strip_url(self): | ||
noise = bytes(range(0, 0x20 + 1)) | ||
base_url = "http://User:[email protected]:080/doc/?query=yes#frag" | ||
|
||
url = noise.decode("utf-8") + base_url | ||
p = urllib.parse.urlsplit(url) | ||
self.assertEqual(p.scheme, "http") | ||
self.assertEqual(p.netloc, "User:[email protected]:080") | ||
self.assertEqual(p.path, "/doc/") | ||
self.assertEqual(p.query, "query=yes") | ||
self.assertEqual(p.fragment, "frag") | ||
self.assertEqual(p.username, "User") | ||
self.assertEqual(p.password, "Pass") | ||
self.assertEqual(p.hostname, "www.python.org") | ||
self.assertEqual(p.port, 80) | ||
self.assertEqual(p.geturl(), base_url) | ||
|
||
url = noise + base_url.encode("utf-8") | ||
p = urllib.parse.urlsplit(url) | ||
self.assertEqual(p.scheme, b"http") | ||
self.assertEqual(p.netloc, b"User:[email protected]:080") | ||
self.assertEqual(p.path, b"/doc/") | ||
self.assertEqual(p.query, b"query=yes") | ||
self.assertEqual(p.fragment, b"frag") | ||
self.assertEqual(p.username, b"User") | ||
self.assertEqual(p.password, b"Pass") | ||
self.assertEqual(p.hostname, b"www.python.org") | ||
self.assertEqual(p.port, 80) | ||
self.assertEqual(p.geturl(), base_url.encode("utf-8")) | ||
|
||
# Test that trailing space is preserved as some applications rely on | ||
# this within query strings. | ||
query_spaces_url = "https://www.python.org:88/doc/?query= " | ||
p = urllib.parse.urlsplit(noise.decode("utf-8") + query_spaces_url) | ||
self.assertEqual(p.scheme, "https") | ||
self.assertEqual(p.netloc, "www.python.org:88") | ||
self.assertEqual(p.path, "/doc/") | ||
self.assertEqual(p.query, "query= ") | ||
self.assertEqual(p.port, 88) | ||
self.assertEqual(p.geturl(), query_spaces_url) | ||
|
||
p = urllib.parse.urlsplit("www.pypi.org ") | ||
# That "hostname" gets considered a "path" due to the | ||
# trailing space and our existing logic... YUCK... | ||
# and re-assembles via geturl aka unurlsplit into the original. | ||
# django.core.validators.URLValidator (at least through v3.2) relies on | ||
# this, for better or worse, to catch it in a ValidationError via its | ||
# regular expressions. | ||
# Here we test the basic round trip concept of such a trailing space. | ||
self.assertEqual(urllib.parse.urlunsplit(p), "www.pypi.org ") | ||
|
||
# with scheme as cache-key | ||
url = "//www.python.org/" | ||
scheme = noise.decode("utf-8") + "https" + noise.decode("utf-8") | ||
for _ in range(2): | ||
p = urllib.parse.urlsplit(url, scheme=scheme) | ||
self.assertEqual(p.scheme, "https") | ||
self.assertEqual(p.geturl(), "https://www.python.org/") | ||
|
||
def test_attributes_bad_port(self): | ||
"""Check handling of invalid ports.""" | ||
for bytes in (False, True): | ||
for parse in (urllib.parse.urlsplit, urllib.parse.urlparse): | ||
for port in ("foo", "1.5", "-1", "0x10"): | ||
with self.subTest(bytes=bytes, parse=parse, port=port): | ||
netloc = "www.example.net:" + port | ||
url = "http://" + netloc | ||
url = "http://" + netloc + "/" | ||
if bytes: | ||
netloc = netloc.encode("ascii") | ||
url = url.encode("ascii") | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
3 changes: 3 additions & 0 deletions
3
Misc/NEWS.d/next/Security/2023-03-07-20-59-17.gh-issue-102153.14CLSZ.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
:func:`urllib.parse.urlsplit` now strips leading C0 control and space | ||
characters following the specification for URLs defined by WHATWG in | ||
response to CVE-2023-24329. Patch by Illia Volochii. |