Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python310 for openSUSE:Factory
checked in at 2025-02-09 19:59:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python310 (Old)
and /work/SRC/openSUSE:Factory/.python310.new.2316 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python310"
Sun Feb 9 19:59:00 2025 rev:56 rq:1244096 version:3.10.16
Changes:
--------
--- /work/SRC/openSUSE:Factory/python310/python310.changes 2024-12-06
14:24:58.324926425 +0100
+++ /work/SRC/openSUSE:Factory/.python310.new.2316/python310.changes
2025-02-09 19:59:13.716959368 +0100
@@ -1,0 +2,7 @@
+Tue Feb 4 14:43:13 UTC 2025 - Matej Cepl <mc...@cepl.eu>
+
+- Add CVE-2025-0938-sq-brackets-domain-names.patch which
+ disallows square brackets ([ and ]) in domain names for parsed
+ URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)
+
+-------------------------------------------------------------------
New:
----
CVE-2025-0938-sq-brackets-domain-names.patch
BETA DEBUG BEGIN:
New:
- Add CVE-2025-0938-sq-brackets-domain-names.patch which
disallows square brackets ([ and ]) in domain names for parsed
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python310.spec ++++++
--- /var/tmp/diff_new_pack.trMYZ9/_old 2025-02-09 19:59:15.061014629 +0100
+++ /var/tmp/diff_new_pack.trMYZ9/_new 2025-02-09 19:59:15.061014629 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python310
#
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -204,6 +204,9 @@
# PATCH-FIX-UPSTREAM sphinx-802.patch mc...@suse.com
# status_iterator method moved between the Sphinx versions
Patch28: sphinx-802.patch
+# PATCH-FIX-UPSTREAM CVE-2025-0938-sq-brackets-domain-names.patch bsc#1236705
mc...@suse.com
+# functions `urllib.parse.urlsplit` and `urlparse` accept domain names
including square brackets
+Patch29: CVE-2025-0938-sq-brackets-domain-names.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@@ -487,6 +490,7 @@
%patch -p1 -P 24
%patch -p1 -P 27
%patch -p1 -P 28
+%patch -p1 -P 29
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
++++++ CVE-2025-0938-sq-brackets-domain-names.patch ++++++
>From d91e2c740890837edafaee24d68112b776cda9c5 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <s...@python.org>
Date: Fri, 31 Jan 2025 11:41:34 -0600
Subject: [PATCH] gh-105704: Disallow square brackets (`[` and `]`) in domain
names for parsed URLs (GH-129418)
* gh-105704: Disallow square brackets ( and ) in domain names for parsed URLs
* Use Sphinx references
Co-authored-by: Peter Bierma <zintensity...@gmail.com>
* Add mismatched bracket test cases, fix news format
* Add more test coverage for ports
---------
(cherry picked from commit d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a)
Co-authored-by: Seth Michael Larson <s...@python.org>
Co-authored-by: Peter Bierma <zintensity...@gmail.com>
---
Lib/test/test_urlparse.py |
37 +++++++++-
Lib/urllib/parse.py |
20 ++++-
Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst |
4 +
3 files changed, 58 insertions(+), 3 deletions(-)
create mode 100644
Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
@@ -1149,16 +1149,51 @@ class UrlParseTestCase(unittest.TestCase
self.assertRaises(ValueError, urllib.parse.urlsplit,
'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query')
self.assertRaises(ValueError, urllib.parse.urlsplit,
'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query')
self.assertRaises(ValueError, urllib.parse.urlsplit,
'Scheme://user@]v6a.ip[/Path')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://prefix.[v6a.ip]')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://[v6a.ip].suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://prefix.[v6a.ip]/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://[v6a.ip].suffix/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://prefix.[v6a.ip]?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://[v6a.ip].suffix?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://prefix.[::1]')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://[::1].suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://prefix.[::1]/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://[::1].suffix/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://prefix.[::1]?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://[::1].suffix?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://prefix.[::1]:a')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://[::1].suffix:a')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://prefix.[::1]:a1')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://[::1].suffix:a1')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://prefix.[::1]:1a')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://[::1].suffix:1a')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://prefix.[::1]:')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://[::1].suffix:/')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://prefix.[::1]:?')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://user@prefix.[v6a.ip]')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://user@[v6a.ip].suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://[v6a.ip')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://v6a.ip]')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://]v6a.ip[')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://]v6a.ip')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://v6a.ip[')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://prefix.[v6a.ip')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://v6a.ip].suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://prefix]v6a.ip[suffix')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://prefix]v6a.ip')
+ self.assertRaises(ValueError, urllib.parse.urlsplit,
'scheme://v6a.ip[suffix')
def test_splitting_bracketed_hosts(self):
- p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query')
+ p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]:1234/path?query')
self.assertEqual(p1.hostname, 'v6a.ip')
self.assertEqual(p1.username, 'user')
self.assertEqual(p1.path, '/path')
+ self.assertEqual(p1.port, 1234)
p2 =
urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query')
self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test')
self.assertEqual(p2.username, 'user')
self.assertEqual(p2.path, '/path')
+ self.assertIs(p2.port, None)
p3 =
urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query')
self.assertEqual(p3.hostname,
'0439:23af:2309::fae7:1234:192.0.2.146%test')
self.assertEqual(p3.username, 'user')
--- a/Lib/urllib/parse.py
+++ b/Lib/urllib/parse.py
@@ -442,6 +442,23 @@ def _checknetloc(netloc):
raise ValueError("netloc '" + netloc + "' contains invalid " +
"characters under NFKC normalization")
+def _check_bracketed_netloc(netloc):
+ # Note that this function must mirror the splitting
+ # done in NetlocResultMixins._hostinfo().
+ hostname_and_port = netloc.rpartition('@')[2]
+ before_bracket, have_open_br, bracketed = hostname_and_port.partition('[')
+ if have_open_br:
+ # No data is allowed before a bracket.
+ if before_bracket:
+ raise ValueError("Invalid IPv6 URL")
+ hostname, _, port = bracketed.partition(']')
+ # No data is allowed after the bracket but before the port delimiter.
+ if port and not port.startswith(":"):
+ raise ValueError("Invalid IPv6 URL")
+ else:
+ hostname, _, port = hostname_and_port.partition(':')
+ _check_bracketed_host(hostname)
+
# Valid bracketed hosts are defined in
# https://www.rfc-editor.org/rfc/rfc3986#page-49 and
https://url.spec.whatwg.org/
def _check_bracketed_host(hostname):
@@ -505,8 +522,7 @@ def urlsplit(url, scheme='', allow_fragm
(']' in netloc and '[' not in netloc)):
raise ValueError("Invalid IPv6 URL")
if '[' in netloc and ']' in netloc:
- bracketed_host = netloc.partition('[')[2].partition(']')[0]
- _check_bracketed_host(bracketed_host)
+ _check_bracketed_netloc(netloc)
if allow_fragments and '#' in url:
url, fragment = url.split('#', 1)
if '?' in url:
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
@@ -0,0 +1,4 @@
+When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` host
+parsing would not reject domain names containing square brackets (``[`` and
+``]``). Square brackets are only valid for IPv6 and IPvFuture hosts according
to
+`RFC 3986 Section 3.2.2
<https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2>`__.
