mirror of
https://github.com/Tautulli/Tautulli.git
synced 2025-08-22 22:23:36 -07:00
Fix CVE-2019-9636
Implemented fix from python/cpython#12201 for CVE-2019-9636 in /lib/future/backports/urllib/parse.py
This commit is contained in:
parent
3c996f01a9
commit
eb0707c555
1 changed files with 21 additions and 0 deletions
|
@ -36,6 +36,7 @@ from future.utils import raise_with_traceback
|
|||
import re
|
||||
import sys
|
||||
import collections
|
||||
import unicodedata
|
||||
|
||||
__all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag",
|
||||
"urlsplit", "urlunsplit", "urlencode", "parse_qs",
|
||||
|
@ -322,6 +323,24 @@ def _splitnetloc(url, start=0):
|
|||
delim = min(delim, wdelim) # use earliest delim position
|
||||
return url[start:delim], url[delim:] # return (domain, rest)
|
||||
|
||||
def _checknetloc(netloc):
|
||||
if not netloc or netloc.isascii():
|
||||
return
|
||||
# looking for characters like \u2100 that expand to 'a/c'
|
||||
# IDNA uses NFKC equivalence, so normalize for this check
|
||||
import unicodedata
|
||||
n = netloc.replace('@', '') # ignore characters already included
|
||||
n = n.replace(':', '') # but not the surrounding text
|
||||
n = n.replace('#', '')
|
||||
n = n.replace('?', '')
|
||||
netloc2 = unicodedata.normalize('NFKC', n)
|
||||
if n == netloc2:
|
||||
return
|
||||
for c in '/?#@:':
|
||||
if c in netloc2:
|
||||
raise ValueError("netloc '" + netloc + "' contains invalid " +
|
||||
"characters under NFKC normalization")
|
||||
|
||||
def urlsplit(url, scheme='', allow_fragments=True):
|
||||
"""Parse a URL into 5 components:
|
||||
<scheme>://<netloc>/<path>?<query>#<fragment>
|
||||
|
@ -351,6 +370,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
|
|||
url, fragment = url.split('#', 1)
|
||||
if '?' in url:
|
||||
url, query = url.split('?', 1)
|
||||
_checknetloc(netloc)
|
||||
v = SplitResult(scheme, netloc, url, query, fragment)
|
||||
_parse_cache[key] = v
|
||||
return _coerce_result(v)
|
||||
|
@ -374,6 +394,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
|
|||
url, fragment = url.split('#', 1)
|
||||
if '?' in url:
|
||||
url, query = url.split('?', 1)
|
||||
_checknetloc(netloc)
|
||||
v = SplitResult(scheme, netloc, url, query, fragment)
|
||||
_parse_cache[key] = v
|
||||
return _coerce_result(v)
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue