From 90685cae3d2d1b53bd9fec54943a3c382740bd4c Mon Sep 17 00:00:00 2001 From: zhanzhimin Date: Mon, 5 Jul 2021 11:39:54 +0800 Subject: [PATCH] fix CVE-2021-33503 (cherry picked from commit fa4f65af37e296f233e70599b473bb9ea1365e39) --- backport-CVE-2021-33503.patch | 64 +++++++++++++++++++++++++++++++++++ python-urllib3.spec | 6 +++- 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-33503.patch diff --git a/backport-CVE-2021-33503.patch b/backport-CVE-2021-33503.patch new file mode 100644 index 0000000..9227f84 --- /dev/null +++ b/backport-CVE-2021-33503.patch @@ -0,0 +1,64 @@ +From 2d4a3fee6de2fa45eb82169361918f759269b4ec Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson +Date: Wed, 26 May 2021 10:43:12 -0500 +Subject: [PATCH] Improve performance of sub-authority splitting in URL + +--- + src/urllib3/util/url.py | 8 +++++--- + test/test_util.py | 10 ++++++++++ + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py +index 793324e..318a6d6 100644 +--- a/src/urllib3/util/url.py ++++ b/src/urllib3/util/url.py +@@ -63,12 +63,12 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$") + BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$") + ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$") + +-SUBAUTHORITY_PAT = (u"^(?:(.*)@)?(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( ++_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( + REG_NAME_PAT, + IPV4_PAT, + IPV6_ADDRZ_PAT, + ) +-SUBAUTHORITY_RE = re.compile(SUBAUTHORITY_PAT, re.UNICODE | re.DOTALL) ++_HOST_PORT_RE = re.compile(_HOST_PORT_PAT, re.UNICODE | re.DOTALL) + + UNRESERVED_CHARS = set( + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-~" +@@ -365,7 +365,9 @@ def parse_url(url): + scheme = scheme.lower() + + if authority: +- auth, host, port = SUBAUTHORITY_RE.match(authority).groups() ++ auth, _, host_port = authority.rpartition("@") ++ auth = auth or None ++ host, port = _HOST_PORT_RE.match(host_port).groups() + if auth and normalize_uri: + auth = _encode_invalid_chars(auth, USERINFO_CHARS) + if port == "": +diff --git a/test/test_util.py b/test/test_util.py +index 838c751..ef6aa11 100644 +--- a/test/test_util.py ++++ b/test/test_util.py +@@ -437,6 +437,16 @@ class TestUtil(object): + fragment="hash", + ), + ), ++ # Tons of '@' causing backtracking ++ ("https://" + ("@" * 10000) + "[", False), ++ ( ++ "https://user:" + ("@" * 10000) + "example.com", ++ Url( ++ scheme="https", ++ auth="user:" + ("%40" * 9999), ++ host="example.com", ++ ), ++ ), + ] + + @pytest.mark.parametrize("url, expected_url", url_vulnerabilities) +-- +2.23.0 + diff --git a/python-urllib3.spec b/python-urllib3.spec index 0dea575..790ef19 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -3,7 +3,7 @@ Name: python-%{srcname} Version: 1.25.9 -Release: 2 +Release: 3 Summary: Sanity-friendly HTTP client for Python License: MIT URL: https://urllib3.readthedocs.io @@ -12,6 +12,7 @@ Source1: ssl_match_hostname_py3.py BuildArch: noarch Patch0000: set-RECENT_DATE-not-be-older-than-2-years.patch +Patch6000: backport-CVE-2021-33503.patch %global _description \ HTTP library with thread-safe connection pooling, file post support,\ @@ -109,6 +110,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt %{python3_sitelib}/urllib3-*.egg-info %changelog +* Mon 05 Jul 2021 zhanzhimin - 1.25.9-3 +- fix CVE-2021-33503 + * Mon 24 May 2021 sunguoshuai - 1.25.9-2 - fix check error by set RECENT_DATE -- Gitee