Blame SOURCES/CVE-2019-11236.patch
|
 |
978cfa |
From bc4ac186771b27772246057fdce51775ebbf0f24 Mon Sep 17 00:00:00 2001
|
|
|
978cfa |
From: Lumir Balhar <lbalhar@redhat.com>
|
|
|
978cfa |
Date: Mon, 13 Jan 2020 09:34:25 +0100
|
|
|
978cfa |
Subject: [PATCH 2/2] CVE-2019-11236
|
|
|
978cfa |
|
|
|
978cfa |
---
|
|
|
978cfa |
util/url.py | 10 ++++++++++
|
|
|
978cfa |
1 file changed, 10 insertions(+)
|
|
|
978cfa |
|
|
|
978cfa |
diff --git a/util/url.py b/util/url.py
|
|
|
978cfa |
index e996204..bf0b803 100644
|
|
|
978cfa |
--- a/util/url.py
|
|
|
978cfa |
+++ b/util/url.py
|
|
|
978cfa |
@@ -1,8 +1,14 @@
|
|
|
978cfa |
from __future__ import absolute_import
|
|
|
978cfa |
from collections import namedtuple
|
|
|
978cfa |
+import re
|
|
|
978cfa |
|
|
|
978cfa |
from ..exceptions import LocationParseError
|
|
|
978cfa |
+try:
|
|
|
978cfa |
+ from urllib.parse import quote
|
|
|
978cfa |
+except ImportError:
|
|
|
978cfa |
+ from urllib import quote
|
|
|
978cfa |
|
|
|
978cfa |
+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
|
|
|
978cfa |
|
|
|
978cfa |
url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
|
|
|
978cfa |
|
|
|
978cfa |
@@ -146,6 +152,10 @@ def parse_url(url):
|
|
|
978cfa |
# Empty
|
|
|
978cfa |
return Url()
|
|
|
978cfa |
|
|
|
978cfa |
+ # Prevent CVE-2019-9740.
|
|
|
978cfa |
+ # adapted from https://github.com/python/cpython/pull/12755
|
|
|
978cfa |
+ url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url)
|
|
|
978cfa |
+
|
|
|
978cfa |
scheme = None
|
|
|
978cfa |
auth = None
|
|
|
978cfa |
host = None
|
|
|
978cfa |
--
|
|
|
978cfa |
2.24.1
|
|
|
978cfa |
|