diff options
| -rw-r--r-- | recipes-devtools/python/python3-botocore/0001-Fix-rejecting-URLs-with-unsafe-characters-in-is_vali.patch | 58 | ||||
| -rw-r--r-- | recipes-devtools/python/python3-botocore_1.20.51.bb | 2 |
2 files changed, 60 insertions, 0 deletions
diff --git a/recipes-devtools/python/python3-botocore/0001-Fix-rejecting-URLs-with-unsafe-characters-in-is_vali.patch b/recipes-devtools/python/python3-botocore/0001-Fix-rejecting-URLs-with-unsafe-characters-in-is_vali.patch new file mode 100644 index 00000000..6a43608e --- /dev/null +++ b/recipes-devtools/python/python3-botocore/0001-Fix-rejecting-URLs-with-unsafe-characters-in-is_vali.patch | |||
| @@ -0,0 +1,58 @@ | |||
| 1 | From 370cdf7d708c92bf21a42f15392f7be330cf8f80 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= <mgorny@gentoo.org> | ||
| 3 | Date: Fri, 7 May 2021 19:54:16 +0200 | ||
| 4 | Subject: [PATCH] Fix rejecting URLs with unsafe characters in | ||
| 5 | is_valid_endpoint_url() (#2381) | ||
| 6 | |||
| 7 | Detect unsafe characters in is_valid_endpoint_url() | ||
| 8 | and is_valid_ipv6_endpoint_url() early, in order to fix rejecting | ||
| 9 | invalid URLs with Python 3.9.5+ and other versions carrying bpo-43882 | ||
| 10 | fix. In these versions, urlsplit() silently strips LF, CR and HT | ||
| 11 | characters while splitting the URL, effectively disarming the validator | ||
| 12 | in botocore. | ||
| 13 | |||
| 14 | The solution is based on a similar fix in Django. | ||
| 15 | |||
| 16 | Fixes #2377 | ||
| 17 | --- | ||
| 18 | botocore/utils.py | 10 ++++++++++ | ||
| 19 | 1 file changed, 10 insertions(+) | ||
| 20 | |||
| 21 | diff --git a/botocore/utils.py b/botocore/utils.py | ||
| 22 | index 378972248..d35dd64bb 100644 | ||
| 23 | --- a/botocore/utils.py | ||
| 24 | +++ b/botocore/utils.py | ||
| 25 | @@ -173,6 +173,10 @@ ZONE_ID_PAT = "(?:%25|%)(?:[" + UNRESERVED_PAT + "]|%[a-fA-F0-9]{2})+" | ||
| 26 | IPV6_ADDRZ_PAT = r"\[" + IPV6_PAT + r"(?:" + ZONE_ID_PAT + r")?\]" | ||
| 27 | IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$") | ||
| 28 | |||
| 29 | +# These are the characters that are stripped by post-bpo-43882 urlparse(). | ||
| 30 | +UNSAFE_URL_CHARS = frozenset('\t\r\n') | ||
| 31 | + | ||
| 32 | + | ||
| 33 | def ensure_boolean(val): | ||
| 34 | """Ensures a boolean value if a string or boolean is provided | ||
| 35 | |||
| 36 | @@ -977,6 +981,8 @@ class ArgumentGenerator(object): | ||
| 37 | |||
| 38 | |||
| 39 | def is_valid_ipv6_endpoint_url(endpoint_url): | ||
| 40 | + if UNSAFE_URL_CHARS.intersection(endpoint_url): | ||
| 41 | + return False | ||
| 42 | netloc = urlparse(endpoint_url).netloc | ||
| 43 | return IPV6_ADDRZ_RE.match(netloc) is not None | ||
| 44 | |||
| 45 | @@ -990,6 +996,10 @@ def is_valid_endpoint_url(endpoint_url): | ||
| 46 | :return: True if the endpoint url is valid. False otherwise. | ||
| 47 | |||
| 48 | """ | ||
| 49 | + # post-bpo-43882 urlsplit() strips unsafe characters from URL, causing | ||
| 50 | + # it to pass hostname validation below. Detect them early to fix that. | ||
| 51 | + if UNSAFE_URL_CHARS.intersection(endpoint_url): | ||
| 52 | + return False | ||
| 53 | parts = urlsplit(endpoint_url) | ||
| 54 | hostname = parts.hostname | ||
| 55 | if hostname is None: | ||
| 56 | -- | ||
| 57 | 2.25.1 | ||
| 58 | |||
diff --git a/recipes-devtools/python/python3-botocore_1.20.51.bb b/recipes-devtools/python/python3-botocore_1.20.51.bb index ca506f6f..f71db1fc 100644 --- a/recipes-devtools/python/python3-botocore_1.20.51.bb +++ b/recipes-devtools/python/python3-botocore_1.20.51.bb | |||
| @@ -8,3 +8,5 @@ SRC_URI[sha256sum] = "c853d6c2321e2f2328282c7d49d7b1a06201826ba0e7049c6975ab5f22 | |||
| 8 | inherit pypi setuptools3 | 8 | inherit pypi setuptools3 |
| 9 | 9 | ||
| 10 | RDEPENDS:${PN} += "python3-jmespath python3-dateutil python3-logging" | 10 | RDEPENDS:${PN} += "python3-jmespath python3-dateutil python3-logging" |
| 11 | |||
| 12 | SRC_URI += "file://0001-Fix-rejecting-URLs-with-unsafe-characters-in-is_vali.patch" | ||