You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
42 lines
1.1 KiB
42 lines
1.1 KiB
From bc4ac186771b27772246057fdce51775ebbf0f24 Mon Sep 17 00:00:00 2001 |
|
From: Lumir Balhar <lbalhar@redhat.com> |
|
Date: Mon, 13 Jan 2020 09:34:25 +0100 |
|
Subject: [PATCH 2/2] CVE-2019-11236 |
|
|
|
--- |
|
util/url.py | 10 ++++++++++ |
|
1 file changed, 10 insertions(+) |
|
|
|
diff --git a/util/url.py b/util/url.py |
|
index e996204..bf0b803 100644 |
|
--- a/util/url.py |
|
+++ b/util/url.py |
|
@@ -1,8 +1,14 @@ |
|
from __future__ import absolute_import |
|
from collections import namedtuple |
|
+import re |
|
|
|
from ..exceptions import LocationParseError |
|
+try: |
|
+ from urllib.parse import quote |
|
+except ImportError: |
|
+ from urllib import quote |
|
|
|
+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]') |
|
|
|
url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment'] |
|
|
|
@@ -146,6 +152,10 @@ def parse_url(url): |
|
# Empty |
|
return Url() |
|
|
|
+ # Prevent CVE-2019-9740. |
|
+ # adapted from https://github.com/python/cpython/pull/12755 |
|
+ url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url) |
|
+ |
|
scheme = None |
|
auth = None |
|
host = None |
|
-- |
|
2.24.1 |
|
|
|
|