rpms / python-virtualenv

Clone
Source Code
GIT

Blame SOURCES/CVE-2019-11236.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-2.7 c8-beta-stream-3.6 c8-stream-2.7 c8-stream-3.6 c8s-stream-2.7 c8s-stream-3.6 c9s-sig-cloud-openstack-xena
  1.   c6b9c6833936bae685d7b61e5c7207f5b47af2d2
  2.   SOURCES
  3.   CVE-2019-11236.patch
Blob History Raw
c6b9c6 
From bc4ac186771b27772246057fdce51775ebbf0f24 Mon Sep 17 00:00:00 2001
c6b9c6 
From: Lumir Balhar <lbalhar@redhat.com>
c6b9c6 
Date: Mon, 13 Jan 2020 09:34:25 +0100
c6b9c6 
Subject: [PATCH 2/2] CVE-2019-11236
c6b9c6
c6b9c6 
---
c6b9c6 
 util/url.py | 10 ++++++++++
c6b9c6 
 1 file changed, 10 insertions(+)
c6b9c6
c6b9c6 
diff --git a/util/url.py b/util/url.py
c6b9c6 
index e996204..bf0b803 100644
c6b9c6 
--- a/util/url.py
c6b9c6 
+++ b/util/url.py
c6b9c6 
@@ -1,8 +1,14 @@
c6b9c6 
 from __future__ import absolute_import
c6b9c6 
 from collections import namedtuple
c6b9c6 
+import re
c6b9c6
c6b9c6 
 from ..exceptions import LocationParseError
c6b9c6 
+try:
c6b9c6 
+    from urllib.parse import quote
c6b9c6 
+except ImportError:
c6b9c6 
+    from urllib import quote
c6b9c6
c6b9c6 
+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
c6b9c6
c6b9c6 
 url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
c6b9c6
c6b9c6 
@@ -146,6 +152,10 @@ def parse_url(url):
c6b9c6 
         # Empty
c6b9c6 
         return Url()
c6b9c6
c6b9c6 
+    # Prevent CVE-2019-9740.
c6b9c6 
+    # adapted from https://github.com/python/cpython/pull/12755
c6b9c6 
+    url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url)
c6b9c6 
+
c6b9c6 
     scheme = None
c6b9c6 
     auth = None
c6b9c6 
     host = None
c6b9c6 
--
c6b9c6 
2.24.1
c6b9c6

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation