Address CVE-2022-0391 for urlparse

ucodery · ucodery · commit 8c70fb47fee8 · 2022-06-23T13:34:54.000-07:00
diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
@@ -569,6 +569,36 @@ def test_telurl_params(self):
         self.assertEqual(p1.params, 'phone-context=+1-914-555')
 
 
+    def test_urlsplit_remove_unsafe_bytes(self):
+        # Remove ASCII tabs and newlines from input
+        url = "http://www.python.org/java\nscript:\talert('msg\r\n')/#frag"
+        p = urlparse.urlsplit(url)
+        self.assertEqual(p.scheme, "http")
+        self.assertEqual(p.netloc, "www.python.org")
+        self.assertEqual(p.path, "/javascript:alert('msg')/")
+        self.assertEqual(p.query, "")
+        self.assertEqual(p.fragment, "frag")
+        self.assertEqual(p.username, None)
+        self.assertEqual(p.password, None)
+        self.assertEqual(p.hostname, "www.python.org")
+        self.assertEqual(p.port, None)
+        self.assertEqual(p.geturl(), "http://www.python.org/javascript:alert('msg')/#frag")
+
+        # Remove ASCII tabs and newlines from input as unicode.
+        url = u"http://www.python.org/java\nscript:\talert('msg\r\n')/#frag"
+        p = urlparse.urlsplit(url)
+        self.assertEqual(p.scheme, u"http")
+        self.assertEqual(p.netloc, u"www.python.org")
+        self.assertEqual(p.path, u"/javascript:alert('msg')/")
+        self.assertEqual(p.query, u"")
+        self.assertEqual(p.fragment, u"frag")
+        self.assertEqual(p.username, None)
+        self.assertEqual(p.password, None)
+        self.assertEqual(p.hostname, u"www.python.org")
+        self.assertEqual(p.port, None)
+        self.assertEqual(p.geturl(), u"http://www.python.org/javascript:alert('msg')/#frag")
+
+
     def test_attributes_bad_port(self):
         """Check handling of non-integer ports."""
         p = urlparse.urlsplit("http://www.example.net:foo")
diff --git a/Lib/urlparse.py b/Lib/urlparse.py
@@ -62,6 +62,9 @@
                 '0123456789'
                 '+-.')
 
+# Unsafe bytes to be removed per WHATWG spec
+_UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n']
+
 MAX_CACHE_SIZE = 20
 _parse_cache = {}
 
@@ -203,6 +206,8 @@ def urlsplit(url, scheme='', allow_fragments=True):
         if url[:i] == 'http': # optimize the common case
             scheme = url[:i].lower()
             url = url[i+1:]
+            for b in _UNSAFE_URL_BYTES_TO_REMOVE:
+                url = url.replace(b, '')
             if url[:2] == '//':
                 netloc, url = _splitnetloc(url, 2)
                 if (('[' in netloc and ']' not in netloc) or
@@ -227,6 +232,9 @@ def urlsplit(url, scheme='', allow_fragments=True):
                 # not a port number
                 scheme, url = url[:i].lower(), rest
 
+    for b in _UNSAFE_URL_BYTES_TO_REMOVE:
+        url = url.replace(b, '')
+
     if url[:2] == '//':
         netloc, url = _splitnetloc(url, 2)
         if (('[' in netloc and ']' not in netloc) or
