From 954be4de942ad3ad3033f0bfbe1b8c5280e8088b Mon Sep 17 00:00:00 2001 From: sxt1001 Date: Mon, 6 Mar 2023 21:42:18 +0800 Subject: [PATCH 1/6] fix CVE-2023-24329 --- Lib/urllib/parse.py | 1 + 1 file changed, 1 insertion(+) diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py index 5f95c5ff7f9c1c..3dc85ff6ae9a07 100644 --- a/Lib/urllib/parse.py +++ b/Lib/urllib/parse.py @@ -451,6 +451,7 @@ def urlsplit(url, scheme='', allow_fragments=True): Note that % escapes are not expanded. """ + url = url.lstrip() url, scheme, _coerce_result = _coerce_args(url, scheme) for b in _UNSAFE_URL_BYTES_TO_REMOVE: From c546775008bc2e2518409e4be7d55a41feab04af Mon Sep 17 00:00:00 2001 From: sxt1001 Date: Mon, 6 Mar 2023 21:54:14 +0800 Subject: [PATCH 2/6] add test for CVE-2023-24329 --- Lib/test/test_urlparse.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py index 80fb9e5cd2a445..f1f46be0cab6d2 100644 --- a/Lib/test/test_urlparse.py +++ b/Lib/test/test_urlparse.py @@ -686,6 +686,13 @@ def test_attributes_bad_scheme(self): else: self.assertEqual(p.scheme, "") + def test_attributes_bad_scheme_CVE_2023_24329(self): + """Check handling of invalid schemes that starts with blank characters.""" + for parse in (urllib.parse.urlsplit, urllib.parse.urlparse): + url = " https://www.example.net" + p = parse(url) + self.assertEqual(p.scheme, "https") + def test_attributes_without_netloc(self): # This example is straight from RFC 3261. It looks like it # should allow the username, hostname, and port to be filled From dccba70101e8904a061ba4a447fc544c223fdd5f Mon Sep 17 00:00:00 2001 From: shixuantong Date: Mon, 6 Mar 2023 22:48:30 +0800 Subject: [PATCH 3/6] doc --- .../next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst diff --git a/Misc/NEWS.d/next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst b/Misc/NEWS.d/next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst new file mode 100644 index 00000000000000..a0aadb36a84e35 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst @@ -0,0 +1 @@ +fix CVE-2023-24329 From b32d74d1e6df5e2fe877ef344137f0eab7db243d Mon Sep 17 00:00:00 2001 From: shixuantong Date: Wed, 8 Mar 2023 07:16:58 +0800 Subject: [PATCH 4/6] use strip() replace lstrip() --- Lib/urllib/parse.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py index 3dc85ff6ae9a07..28670a61f9ac18 100644 --- a/Lib/urllib/parse.py +++ b/Lib/urllib/parse.py @@ -451,7 +451,7 @@ def urlsplit(url, scheme='', allow_fragments=True): Note that % escapes are not expanded. """ - url = url.lstrip() + url = url.strip() url, scheme, _coerce_result = _coerce_args(url, scheme) for b in _UNSAFE_URL_BYTES_TO_REMOVE: From ebcd46c19ea932f154bb39c45e4481acfcfb7a28 Mon Sep 17 00:00:00 2001 From: sxt1001 Date: Wed, 8 Mar 2023 08:56:50 +0800 Subject: [PATCH 5/6] revert use strip() replace lstrip() --- Lib/urllib/parse.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py index 28670a61f9ac18..3dc85ff6ae9a07 100644 --- a/Lib/urllib/parse.py +++ b/Lib/urllib/parse.py @@ -451,7 +451,7 @@ def urlsplit(url, scheme='', allow_fragments=True): Note that % escapes are not expanded. """ - url = url.strip() + url = url.lstrip() url, scheme, _coerce_result = _coerce_args(url, scheme) for b in _UNSAFE_URL_BYTES_TO_REMOVE: From b00c0ea15422f107e4b7855ae6a1ab8ece3e1a64 Mon Sep 17 00:00:00 2001 From: sxt1001 Date: Wed, 8 Mar 2023 10:48:53 +0800 Subject: [PATCH 6/6] update doc Thanks CharlieZhao95 --- .../Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst b/Misc/NEWS.d/next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst index a0aadb36a84e35..9904dfe666956d 100644 --- a/Misc/NEWS.d/next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst +++ b/Misc/NEWS.d/next/Security/2023-03-06-22-48-08.gh-issue-102153.eiaVrE.rst @@ -1 +1,3 @@ -fix CVE-2023-24329 +Fix the parsing problem(CVE-2023-24329) in urlparse when the entire URL +starts with blank characters. This vulnerability would help an attacker to bypass +the protections set by the developer for scheme and host.