From bc4ac186771b27772246057fdce51775ebbf0f24 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Mon, 13 Jan 2020 09:34:25 +0100 Subject: [PATCH 2/2] CVE-2019-11236 --- util/url.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/util/url.py b/util/url.py index e996204..bf0b803 100644 --- a/util/url.py +++ b/util/url.py @@ -1,8 +1,14 @@ from __future__ import absolute_import from collections import namedtuple +import re from ..exceptions import LocationParseError +try: + from urllib.parse import quote +except ImportError: + from urllib import quote +_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]') url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment'] @@ -146,6 +152,10 @@ def parse_url(url): # Empty return Url() + # Prevent CVE-2019-9740. + # adapted from https://github.com/python/cpython/pull/12755 + url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url) + scheme = None auth = None host = None -- 2.24.1