3.6.9-1~18.04ubuntu1.12 (patches applied)applied/3.6.9-1_18.04ubuntu1.12 applied/ubuntu/bionic-updates applied/ubuntu/bionic-security applied/ubuntu/bionic-devel

Imported using git-ubuntu import.
author: Leonidas Da Silva Barbosa <[email protected]> 2023-03-10 13:46:00 -0300
committer: git-ubuntu importer <[email protected]> 2023-03-20 09:54:02 +0000
commit: 51830fba8d4bc57a396f2e00d2f12d3cae3a77c8 (patch)
tree: 61e6d62f6bf60828519c849ebc462944298cc79f
parent: 06af035109e27e23b49b0968644012386b4a94d5 (diff)
parent: 950c3d47c2a7a7a825e440bef2e9c2890b3d1c72 (diff)
5 files changed, 108 insertions, 1 deletions
diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
index ce86dec6..ffa97e95 100644
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -688,6 +688,24 @@ class UrlParseTestCase(unittest.TestCase):
                         with self.assertRaises(ValueError):
                             p.port
 
+    def test_attributes_bad_scheme(self):
+        """Check handling of invalid schemes."""
+        for bytes in (False, True):
+            for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
+                for scheme in (".", "+", "-", "0", "http&", "६http"):
+                    with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
+                        url = scheme + "://www.example.net"
+                        if bytes:
+                            if all(ord(c) < 128 for c in url):
+                                url = url.encode("ascii")
+                            else:
+                                continue
+                        p = parse(url)
+                        if bytes:
+                            self.assertEqual(p.scheme, b"")
+                        else:
+                            self.assertEqual(p.scheme, "")
+
     def test_attributes_without_netloc(self):
         # This example is straight from RFC 3261.  It looks like it
         # should allow the username, hostname, and port to be filled
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
index 540213c5..bad44546 100644
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -83,6 +83,11 @@ _UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n']
 MAX_CACHE_SIZE = 20
 _parse_cache = {}
 
+# Backporting for CVE_2023_24329 as python2.7 hasn't
+# method isascii
+def _is_ascii(string):
+    return all(ord(char) < 128 for char in string)
+
 def clear_cache():
     """Clear the parse cache and the quoters cache."""
     _parse_cache.clear()
@@ -435,7 +440,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
         clear_cache()
     netloc = query = fragment = ''
     i = url.find(':')
-    if i > 0:
+    if i > 0 and _is_ascii(url[0]) and url[0].isalpha():
         if url[:i] == 'http': # optimize the common case
             scheme = url[:i].lower()
             url = url[i+1:]
diff --git a/debian/changelog b/debian/changelog
index f408d85a..6f5f45f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+python3.6 (3.6.9-1~18.04ubuntu1.12) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: Possible Bypass Blocklisting
+    - debian/patches/CVE-2023-24329.patch: enforce
+      that a scheme must begin with an alphabetical ASCII character
+      in Lib/urllib/parse.py, Lib/test/test_urlparse.py.
+    - CVE-2023-24329
+
+ -- Leonidas Da Silva Barbosa <[email protected]>  Fri, 10 Mar 2023 13:46:00 -0300
+
 python3.6 (3.6.9-1~18.04ubuntu1.10) bionic-security; urgency=medium
 
   * SECURITY UPDATE: Buffer overflow in SHA3 (Keccak)
diff --git a/debian/patches/CVE-2023-24329.patch b/debian/patches/CVE-2023-24329.patch
new file mode 100644
index 00000000..44d6e510
--- /dev/null
+++ b/debian/patches/CVE-2023-24329.patch
@@ -0,0 +1,73 @@
+Backported of:
+
+From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <[email protected]>
+Date: Sun, 13 Nov 2022 11:00:25 -0800
+Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
+ must begin with an alphabetical ASCII character. (GH-99421)
+
+Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
+
+RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
+RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
+
+The WHATWG URL spec defines a scheme like this:
+`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
+(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7)
+
+Co-authored-by: Ben Kallus <[email protected]>
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index ce86dec..ffa97e9 100644
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -688,6 +688,24 @@ def test_attributes_bad_port(self):
+                         with self.assertRaises(ValueError):
+                             p.port
+ 
++    def test_attributes_bad_scheme(self):
++        """Check handling of invalid schemes."""
++        for bytes in (False, True):
++            for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
++                for scheme in (".", "+", "-", "0", "http&", "६http"):
++                    with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
++                        url = scheme + "://www.example.net"
++                        if bytes:
++                            if all(ord(c) < 128 for c in url):
++                                url = url.encode("ascii")
++                            else:
++                                continue
++                        p = parse(url)
++                        if bytes:
++                            self.assertEqual(p.scheme, b"")
++                        else:
++                            self.assertEqual(p.scheme, "")
++
+     def test_attributes_without_netloc(self):
+         # This example is straight from RFC 3261.  It looks like it
+         # should allow the username, hostname, and port to be filled
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 540213c..bad4454 100644
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -83,6 +83,11 @@
+ MAX_CACHE_SIZE = 20
+ _parse_cache = {}
+ 
++# Backporting for CVE_2023_24329 as python2.7 hasn't
++# method isascii
++def _is_ascii(string):
++    return all(ord(char) < 128 for char in string)
++
+ def clear_cache():
+     """Clear the parse cache and the quoters cache."""
+     _parse_cache.clear()
+@@ -435,7 +440,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+         clear_cache()
+     netloc = query = fragment = ''
+     i = url.find(':')
+-    if i > 0:
++    if i > 0 and _is_ascii(url[0]) and url[0].isalpha():
+         if url[:i] == 'http': # optimize the common case
+             scheme = url[:i].lower()
+             url = url[i+1:]
diff --git a/debian/patches/series b/debian/patches/series
index b312142b..9a75c6fc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -59,3 +59,4 @@ CVE-2022-0391.patch
 CVE-2015-20107.patch
 CVE-2022-45061.patch
 CVE-2022-37454.patch
+CVE-2023-24329.patch
author	Leonidas Da Silva Barbosa <[email protected]>	2023-03-10 13:46:00 -0300
committer	git-ubuntu importer <[email protected]>	2023-03-20 09:54:02 +0000
commit	51830fba8d4bc57a396f2e00d2f12d3cae3a77c8 (patch)
tree	61e6d62f6bf60828519c849ebc462944298cc79f
parent	06af035109e27e23b49b0968644012386b4a94d5 (diff)
parent	950c3d47c2a7a7a825e440bef2e9c2890b3d1c72 (diff)