Blob Blame History Raw
From b40eb0f43daecc6e2e3ce47b0be49cf570d02adc Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Thu, 9 Jan 2020 11:14:58 +0100
Subject: [PATCH] CVE-2019-9740

---
 util/url.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/util/url.py b/util/url.py
index 6b6f996..2784c85 100644
--- a/util/url.py
+++ b/util/url.py
@@ -1,5 +1,6 @@
 from __future__ import absolute_import
 from collections import namedtuple
+import re
 
 from ..exceptions import LocationParseError
 
@@ -10,6 +11,8 @@ url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
 # urllib3 infers URLs without a scheme (None) to be http.
 NORMALIZABLE_SCHEMES = ('http', 'https', None)
 
+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
+from ..packages.six.moves.urllib.parse import quote
 
 class Url(namedtuple('Url', url_attrs)):
     """
@@ -155,6 +158,10 @@ def parse_url(url):
         # Empty
         return Url()
 
+    # Prevent CVE-2019-9740.
+    # adapted from https://github.com/python/cpython/pull/12755
+    url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url)
+
     scheme = None
     auth = None
     host = None
-- 
2.24.1