CVS commit: pkgsrc/lang/python27

["David H. Gutteridge" <gutteridge%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   gutteridge
Date:           Mon May 29 23:33:48 UTC 2023

Modified Files:
        pkgsrc/lang/python27: Makefile distinfo
        pkgsrc/lang/python27/patches: patch-Lib_test_test__urlparse.py
            patch-Lib_urlparse.py

Log Message:
python27: add backported security fix for CVE-2023-24329


To generate a diff of this commit:
cvs rdiff -u -r1.105 -r1.106 pkgsrc/lang/python27/Makefile
cvs rdiff -u -r1.92 -r1.93 pkgsrc/lang/python27/distinfo
cvs rdiff -u -r1.2 -r1.3 \
    pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py
cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/python27/patches/patch-Lib_urlparse.py

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/python27/Makefile
diff -u pkgsrc/lang/python27/Makefile:1.105 pkgsrc/lang/python27/Makefile:1.106
--- pkgsrc/lang/python27/Makefile:1.105 Sun Jan  8 00:54:29 2023
+++ pkgsrc/lang/python27/Makefile       Mon May 29 23:33:48 2023
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.105 2023/01/08 00:54:29 gutteridge Exp $
+# $NetBSD: Makefile,v 1.106 2023/05/29 23:33:48 gutteridge Exp $
 
 .include "dist.mk"
 
 PKGNAME=       python27-${PY_DISTVERSION}
-PKGREVISION=   10
+PKGREVISION=   11
 CATEGORIES=    lang python
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost

Index: pkgsrc/lang/python27/distinfo
diff -u pkgsrc/lang/python27/distinfo:1.92 pkgsrc/lang/python27/distinfo:1.93
--- pkgsrc/lang/python27/distinfo:1.92  Sun Jan  8 00:54:29 2023
+++ pkgsrc/lang/python27/distinfo       Mon May 29 23:33:48 2023
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.92 2023/01/08 00:54:29 gutteridge Exp $
+$NetBSD: distinfo,v 1.93 2023/05/29 23:33:48 gutteridge Exp $
 
 BLAKE2s (Python-2.7.18.tar.xz) = 1b673ec8c9362a178e044691392bc4f67ad13457d7fddd84a88de346f23f9812
 SHA512 (Python-2.7.18.tar.xz) = a7bb62b51f48ff0b6df0b18f5b0312a523e3110f49c3237936bfe56ed0e26838c0274ff5401bda6fc21bf24337477ccac49e8026c5d651e4b4cafb5eb5086f6c
@@ -39,9 +39,9 @@ SHA1 (patch-Lib_test_test__mailcap.py) =
 SHA1 (patch-Lib_test_test__platform.py) = 3a3b8c05f9bf9adf4862b1022ce864127d36b8b0
 SHA1 (patch-Lib_test_test__unicode.py) = 1bd182bdbd880d0a847f9d8b69277a607f9f0526
 SHA1 (patch-Lib_test_test__urllib2.py) = 89baa57daf2f3282e4fc5009915dbc4910b96ef1
-SHA1 (patch-Lib_test_test__urlparse.py) = d98df667a34eebb994fe1d54a1decb8359df897e
+SHA1 (patch-Lib_test_test__urlparse.py) = d656a6b3fd672633182a2cfd32b2495eac382f3c
 SHA1 (patch-Lib_urllib2.py) = 0cc0dc811bb9544496962e08b040b5c96fb9073c
-SHA1 (patch-Lib_urlparse.py) = 1f102bb85acd99a8be976f9d5b0fdb1a7abf5725
+SHA1 (patch-Lib_urlparse.py) = 09c355c7df32a0f705f246aa81538ab7770c55e2
 SHA1 (patch-Mac_Tools_pythonw.c) = 2b9a60d4b349c240471fd305be69c28e0f654cdc
 SHA1 (patch-Makefile.pre.in) = ceaf34237588b527478ce1f9163c9168382fa201
 SHA1 (patch-Modules___ctypes_callbacks.c) = 8c335edfc9d2ef47988c5bdf1c3dd8473757637b

Index: pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py
diff -u pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py:1.2 pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py:1.3
--- pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py:1.2   Fri Feb 25 22:41:32 2022
+++ pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py       Mon May 29 23:33:48 2023
@@ -1,4 +1,4 @@
-$NetBSD: patch-Lib_test_test__urlparse.py,v 1.2 2022/02/25 22:41:32 gutteridge Exp $
+$NetBSD: patch-Lib_test_test__urlparse.py,v 1.3 2023/05/29 23:33:48 gutteridge Exp $
 
 Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
 Via Fedora:
@@ -8,6 +8,10 @@ Fix CVE-2022-0391: urlparse does not san
 Via Fedora:
 https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00377-CVE-2022-0391.patch
 
+Fix CVE-2023-24329: Add more sanitizing to respect the "Remove any leading C0 control or space from input" rule
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/c/3f00cdccd59ef2955a7f4b4c42bb59c631cce4c1.patch
+
 --- Lib/test/test_urlparse.py.orig     2020-04-19 21:13:39.000000000 +0000
 +++ Lib/test/test_urlparse.py
 @@ -3,6 +3,12 @@ import sys
@@ -134,7 +138,7 @@ https://src.fedoraproject.org/rpms/pytho
      def test_roundtrips(self):
          testcases = [
              ('file:///tmp/junk.txt',
-@@ -544,6 +618,55 @@ class UrlParseTestCase(unittest.TestCase
+@@ -544,6 +618,112 @@ class UrlParseTestCase(unittest.TestCase
          self.assertEqual(p1.path, '863-1234')
          self.assertEqual(p1.params, 'phone-context=+1-914-555')
  
@@ -186,11 +190,68 @@ https://src.fedoraproject.org/rpms/pytho
 +            self.assertEqual(p.scheme, "https")
 +            self.assertEqual(p.geturl(), "https://www.python.org/javascript:alert('msg')/?query=something#fragment")
 +
++    def test_urlsplit_strip_url(self):
++        noise = "".join([chr(i) for i in range(0, 0x20 + 1)])
++        base_url = "http://User:Pass%www.python.org@localhost:080/doc/?query=yes#frag";
 +
++        url = noise.decode("utf-8") + base_url
++        p = urlparse.urlsplit(url)
++        self.assertEqual(p.scheme, "http")
++        self.assertEqual(p.netloc, "User:Pass%www.python.org@localhost:080")
++        self.assertEqual(p.path, "/doc/")
++        self.assertEqual(p.query, "query=yes")
++        self.assertEqual(p.fragment, "frag")
++        self.assertEqual(p.username, "User")
++        self.assertEqual(p.password, "Pass")
++        self.assertEqual(p.hostname, "www.python.org")
++        self.assertEqual(p.port, 80)
++        self.assertEqual(p.geturl(), base_url)
++
++        url = noise + base_url.encode("utf-8")
++        p = urlparse.urlsplit(url)
++        self.assertEqual(p.scheme, b"http")
++        self.assertEqual(p.netloc, b"User:Pass%www.python.org@localhost:080")
++        self.assertEqual(p.path, b"/doc/")
++        self.assertEqual(p.query, b"query=yes")
++        self.assertEqual(p.fragment, b"frag")
++        self.assertEqual(p.username, b"User")
++        self.assertEqual(p.password, b"Pass")
++        self.assertEqual(p.hostname, b"www.python.org")
++        self.assertEqual(p.port, 80)
++        self.assertEqual(p.geturl(), base_url.encode("utf-8"))
++
++        # Test that trailing space is preserved as some applications rely on
++        # this within query strings.
++        query_spaces_url = "https://www.python.org:88/doc/?query=    "
++        p = urlparse.urlsplit(noise.decode("utf-8") + query_spaces_url)
++        self.assertEqual(p.scheme, "https")
++        self.assertEqual(p.netloc, "www.python.org:88")
++        self.assertEqual(p.path, "/doc/")
++        self.assertEqual(p.query, "query=    ")
++        self.assertEqual(p.port, 88)
++        self.assertEqual(p.geturl(), query_spaces_url)
++
++        p = urlparse.urlsplit("www.pypi.org ")
++        # That "hostname" gets considered a "path" due to the
++        # trailing space and our existing logic...  YUCK...
++        # and re-assembles via geturl aka unurlsplit into the original.
++        # django.core.validators.URLValidator (at least through v3.2) relies on
++        # this, for better or worse, to catch it in a ValidationError via its
++        # regular expressions.
++        # Here we test the basic round trip concept of such a trailing space.
++        self.assertEqual(urlparse.urlunsplit(p), "www.pypi.org ")
++
++        # with scheme as cache-key
++        url = "//www.python.org/"
++        scheme = noise.decode("utf-8") + "https" + noise.decode("utf-8")
++        for _ in range(2):
++            p = urlparse.urlsplit(url, scheme=scheme)
++            self.assertEqual(p.scheme, "https")
++            self.assertEqual(p.geturl(), "https://www.python.org/";)
  
      def test_attributes_bad_port(self):
          """Check handling of non-integer ports."""
-@@ -626,6 +749,132 @@ class UrlParseTestCase(unittest.TestCase
+@@ -626,6 +806,132 @@ class UrlParseTestCase(unittest.TestCase
          self.assertEqual(urlparse.urlparse("http://www.python.org:80";),
                  ('http','www.python.org:80','','','',''))
  

Index: pkgsrc/lang/python27/patches/patch-Lib_urlparse.py
diff -u pkgsrc/lang/python27/patches/patch-Lib_urlparse.py:1.3 pkgsrc/lang/python27/patches/patch-Lib_urlparse.py:1.4
--- pkgsrc/lang/python27/patches/patch-Lib_urlparse.py:1.3      Fri Feb 25 22:41:32 2022
+++ pkgsrc/lang/python27/patches/patch-Lib_urlparse.py  Mon May 29 23:33:48 2023
@@ -1,4 +1,4 @@
-$NetBSD: patch-Lib_urlparse.py,v 1.3 2022/02/25 22:41:32 gutteridge Exp $
+$NetBSD: patch-Lib_urlparse.py,v 1.4 2023/05/29 23:33:48 gutteridge Exp $
 
 Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
 Via Fedora:
@@ -8,9 +8,20 @@ Fix CVE-2022-0391: urlparse does not san
 Via Fedora:
 https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00377-CVE-2022-0391.patch
 
+Fix CVE-2023-24329: Add more sanitizing to respect the "Remove any leading C0 control or space from input" rule
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/c/3f00cdccd59ef2955a7f4b4c42bb59c631cce4c1.patch
+
 --- Lib/urlparse.py.orig       2020-04-19 21:13:39.000000000 +0000
 +++ Lib/urlparse.py
-@@ -29,6 +29,7 @@ test_urlparse.py provides a good indicat
+@@ -26,9 +26,14 @@ scenarios for parsing, and for backward
+ parsing quirks from older RFCs are retained. The testcases in
+ test_urlparse.py provides a good indicator of parsing behavior.
+ 
++The WHATWG URL Parser spec should also be considered.  We are not compliant with
++it either due to existing user code API behavior expectations (Hyrum's Law).
++It serves as a useful guide when making changes.
++
  """
  
  import re
@@ -18,17 +29,21 @@ https://src.fedoraproject.org/rpms/pytho
  
  __all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag",
             "urlsplit", "urlunsplit", "parse_qs", "parse_qsl"]
-@@ -62,6 +63,9 @@ scheme_chars = ('abcdefghijklmnopqrstuvw
+@@ -62,6 +67,13 @@ scheme_chars = ('abcdefghijklmnopqrstuvw
                  '0123456789'
                  '+-.')
  
++# Leading and trailing C0 control and space to be stripped per WHATWG spec.
++# == "".join([chr(i) for i in range(0, 0x20 + 1)])
++_WHATWG_C0_CONTROL_OR_SPACE = '\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f '
++
 +# Unsafe bytes to be removed per WHATWG spec
 +_UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n']
 +
  MAX_CACHE_SIZE = 20
  _parse_cache = {}
  
-@@ -184,12 +188,19 @@ def _checknetloc(netloc):
+@@ -184,12 +196,21 @@ def _checknetloc(netloc):
                               "under NFKC normalization"
                               % netloc)
  
@@ -45,10 +60,12 @@ https://src.fedoraproject.org/rpms/pytho
      (e.g. netloc is a single string) and we don't expand % escapes."""
 +    url = _remove_unsafe_bytes_from_url(url)
 +    scheme = _remove_unsafe_bytes_from_url(scheme)
++    url = url.lstrip(_WHATWG_C0_CONTROL_OR_SPACE)
++    scheme = scheme.strip(_WHATWG_C0_CONTROL_OR_SPACE)
      allow_fragments = bool(allow_fragments)
      key = url, scheme, allow_fragments, type(url), type(scheme)
      cached = _parse_cache.get(key, None)
-@@ -382,7 +393,8 @@ def unquote(s):
+@@ -382,7 +403,8 @@ def unquote(s):
              append(item)
      return ''.join(res)
  
@@ -58,7 +75,7 @@ https://src.fedoraproject.org/rpms/pytho
      """Parse a query given as a string argument.
  
          Arguments:
-@@ -405,14 +417,23 @@ def parse_qs(qs, keep_blank_values=0, st
+@@ -405,14 +427,23 @@ def parse_qs(qs, keep_blank_values=0, st
      """
      dict = {}
      for name, value in parse_qsl(qs, keep_blank_values, strict_parsing,
@@ -84,7 +101,7 @@ https://src.fedoraproject.org/rpms/pytho
      """Parse a query given as a string argument.
  
      Arguments:
-@@ -434,15 +455,72 @@ def parse_qsl(qs, keep_blank_values=0, s
+@@ -434,15 +465,72 @@ def parse_qsl(qs, keep_blank_values=0, s
  
      Returns a list, as G-d intended.
      """