From: JinWang An <jinwang.an@samsung.com>
Date: Tue, 20 Jun 2023 01:24:29 +0000 (+0900)
Subject: [CVE-2023-24329] gh-99418: Make urllib.parse.urlparse enforce that a scheme
X-Git-Tag: submit/tizen_6.0_base/20230622.055407~5^2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=856bd651825997fd6676175b0f337b8c565755e2;p=platform%2Fupstream%2Fpython3.git

[CVE-2023-24329] gh-99418: Make urllib.parse.urlparse enforce that a scheme
must begin with an alphabetical ASCII character. (#99421)

Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.

RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`

The WHATWG URL spec defines a scheme like this:
`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`

From 439b9cfaf43080e91c4ad69f312f21fa098befc7 Mon Sep 17 00:00:00 2001
From: Ben Kallus <49924171+kenballus@users.noreply.github.com>
Date: Sun, 13 Nov 2022 18:25:55 +0000

Change-Id: I8ff8e8543e01cbd4cde461571d8ecf5272b3907b
Signed-off-by: JinWang An <jinwang.an@samsung.com>
---

diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
index e6638aee..4f3fcf92 100644
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -640,6 +640,24 @@ class UrlParseTestCase(unittest.TestCase):
                         with self.assertRaises(ValueError):
                             p.port
 
+    def test_attributes_bad_scheme(self):
+        """Check handling of invalid schemes."""
+        for bytes in (False, True):
+            for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
+                for scheme in (".", "+", "-", "0", "http&", "६http"):
+                    with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
+                        url = scheme + "://www.example.net"
+                        if bytes:
+                            if url.isascii():
+                                url = url.encode("ascii")
+                            else:
+                                continue
+                        p = parse(url)
+                        if bytes:
+                            self.assertEqual(p.scheme, b"")
+                        else:
+                            self.assertEqual(p.scheme, "")
+
     def test_attributes_without_netloc(self):
         # This example is straight from RFC 3261.  It looks like it
         # should allow the username, hostname, and port to be filled
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
index 39c5d6a8..f18f1931 100644
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -422,7 +422,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
         clear_cache()
     netloc = query = fragment = ''
     i = url.find(':')
-    if i > 0:
+    if i > 0 and url[0].isascii() and url[0].isalpha():
         if url[:i] == 'http': # optimize the common case
             url = url[i+1:]
             if url[:2] == '//':