From 954be4de942ad3ad3033f0bfbe1b8c5280e8088b Mon Sep 17 00:00:00 2001 From: sxt1001 Date: Mon, 6 Mar 2023 21:42:18 +0800 Subject: [PATCH 1/6] fix CVE-2023-24329 --- Lib/urllib/parse.py | 1 + 1 file changed, 1 insertion(+) diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py index 5f95c5ff7f9c1c..3dc85ff6ae9a07 100644 --- a/Lib/urllib/parse.py +++ b/Lib/urllib/parse.py @@ -451,6 +451,7 @@ def urlsplit(url, scheme='', allow_fragments=True): Note that % escapes are not expanded. """ + url = url.lstrip() url, scheme, _coerce_result = _coerce_args(url, scheme) for b in _UNSAFE_URL_BYTES_TO_REMOVE: From c546775008bc2e2518409e4be7d55a41feab04af Mon Sep 17 00:00:00 2001 From: sxt1001 Date: Mon, 6 Mar 2023 21:54:14 +0800 Subject: [PATCH 2/6] add test for CVE-2023-24329 --- Lib/test/test_urlparse.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py index 80fb9e5cd2a445..f1f46be0cab6d2 100644 --- a/Lib/test/test_urlparse.py +++ b/Lib/test/test_urlparse.py @@ -686,6 +686,13 @@ def test_attributes_bad_scheme(self): else: self.assertEqual(p.scheme, "") + def test_attributes_bad_scheme_CVE_2023_24329(self): + """Check handling of invalid schemes that starts with blank characters.""" + for parse in (urllib.parse.urlsplit, urllib.parse.urlparse): + url = " https://www.example.net" + p = parse(url) + self.assertEqual(p.scheme, "https") + def test_attributes_without_netloc(self): # This example is straight from RFC 3261. It looks like it # should allow the username, hostname, and port to be filled From dccba70101e8904a061ba4a447fc544c223fdd5f Mon Sep 17 00:00:00 2001 From: shixuantong Date: Mon, 6 Mar 2023 22:48:30 +0800 Subject: [PATCH 3/6] doc --- .../next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst diff --git a/Misc/NEWS.d/next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst b/Misc/NEWS.d/next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst new file mode 100644 index 00000000000000..a0aadb36a84e35 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst @@ -0,0 +1 @@ +fix CVE-2023-24329 From b32d74d1e6df5e2fe877ef344137f0eab7db243d Mon Sep 17 00:00:00 2001 From: shixuantong Date: Wed, 8 Mar 2023 07:16:58 +0800 Subject: [PATCH 4/6] use strip() replace lstrip() --- Lib/urllib/parse.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py index 3dc85ff6ae9a07..28670a61f9ac18 100644 --- a/Lib/urllib/parse.py +++ b/Lib/urllib/parse.py @@ -451,7 +451,7 @@ def urlsplit(url, scheme='', allow_fragments=True): Note that % escapes are not expanded. """ - url = url.lstrip() + url = url.strip() url, scheme, _coerce_result = _coerce_args(url, scheme) for b in _UNSAFE_URL_BYTES_TO_REMOVE: From ebcd46c19ea932f154bb39c45e4481acfcfb7a28 Mon Sep 17 00:00:00 2001 From: sxt1001 Date: Wed, 8 Mar 2023 08:56:50 +0800 Subject: [PATCH 5/6] revert use strip() replace lstrip() --- Lib/urllib/parse.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py index 28670a61f9ac18..3dc85ff6ae9a07 100644 --- a/Lib/urllib/parse.py +++ b/Lib/urllib/parse.py @@ -451,7 +451,7 @@ def urlsplit(url, scheme='', allow_fragments=True): Note that % escapes are not expanded. """ - url = url.strip() + url = url.lstrip() url, scheme, _coerce_result = _coerce_args(url, scheme) for b in _UNSAFE_URL_BYTES_TO_REMOVE: From b00c0ea15422f107e4b7855ae6a1ab8ece3e1a64 Mon Sep 17 00:00:00 2001 From: sxt1001 Date: Wed, 8 Mar 2023 10:48:53 +0800 Subject: [PATCH 6/6] update doc Thanks CharlieZhao95 --- .../Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst b/Misc/NEWS.d/next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst index a0aadb36a84e35..9904dfe666956d 100644 --- a/Misc/NEWS.d/next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst +++ b/Misc/NEWS.d/next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst @@ -1 +1,3 @@ -fix CVE-2023-24329 +Fix the parsing problem(CVE-2023-24329) in urlparse when the entire URL +starts with blank characters. This vulnerability would help an attacker to bypass +the protections set by the developer for scheme and host. pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy