|
 |
38a001 |
From b40eb0f43daecc6e2e3ce47b0be49cf570d02adc Mon Sep 17 00:00:00 2001
|
|
|
38a001 |
From: Lumir Balhar <lbalhar@redhat.com>
|
|
|
38a001 |
Date: Thu, 9 Jan 2020 11:14:58 +0100
|
|
|
38a001 |
Subject: [PATCH] CVE-2019-9740
|
|
|
38a001 |
|
|
|
38a001 |
---
|
|
|
38a001 |
util/url.py | 7 +++++++
|
|
|
38a001 |
1 file changed, 7 insertions(+)
|
|
|
38a001 |
|
|
|
38a001 |
diff --git a/util/url.py b/util/url.py
|
|
|
38a001 |
index 6b6f996..2784c85 100644
|
|
|
38a001 |
--- a/util/url.py
|
|
|
38a001 |
+++ b/util/url.py
|
|
|
38a001 |
@@ -1,5 +1,6 @@
|
|
|
38a001 |
from __future__ import absolute_import
|
|
|
38a001 |
from collections import namedtuple
|
|
|
38a001 |
+import re
|
|
|
38a001 |
|
|
|
38a001 |
from ..exceptions import LocationParseError
|
|
|
38a001 |
|
|
|
38a001 |
@@ -10,6 +11,8 @@ url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
|
|
|
38a001 |
# urllib3 infers URLs without a scheme (None) to be http.
|
|
|
38a001 |
NORMALIZABLE_SCHEMES = ('http', 'https', None)
|
|
|
38a001 |
|
|
|
38a001 |
+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
|
|
|
38a001 |
+from ..packages.six.moves.urllib.parse import quote
|
|
|
38a001 |
|
|
|
38a001 |
class Url(namedtuple('Url', url_attrs)):
|
|
|
38a001 |
"""
|
|
|
38a001 |
@@ -155,6 +158,10 @@ def parse_url(url):
|
|
|
38a001 |
# Empty
|
|
|
38a001 |
return Url()
|
|
|
38a001 |
|
|
|
38a001 |
+ # Prevent CVE-2019-9740.
|
|
|
38a001 |
+ # adapted from https://github.com/python/cpython/pull/12755
|
|
|
38a001 |
+ url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url)
|
|
|
38a001 |
+
|
|
|
38a001 |
scheme = None
|
|
|
38a001 |
auth = None
|
|
|
38a001 |
host = None
|
|
|
38a001 |
--
|
|
|
38a001 |
2.24.1
|
|
|
38a001 |
|