Hello community, here is the log from the commit of package python-rfc3986 for openSUSE:Factory checked in at 2020-04-18 00:26:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-rfc3986 (Old) and /work/SRC/openSUSE:Factory/.python-rfc3986.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-rfc3986" Sat Apr 18 00:26:48 2020 rev:10 rq:794256 version:1.4.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-rfc3986/python-rfc3986.changes 2019-05-20 13:17:49.835932257 +0200 +++ /work/SRC/openSUSE:Factory/.python-rfc3986.new.2738/python-rfc3986.changes 2020-04-18 00:26:50.601606647 +0200 @@ -1,0 +2,9 @@ +Wed Apr 15 16:02:41 UTC 2020 - Marketa Calabkova <[email protected]> + +- update to 1.4.0 + * Prevent users from receiving an invalid authority parsed from + a malicious URL. + * Add from_uri to URIBuilder to allow creation of a URIBuilder + from an existing URI. + +------------------------------------------------------------------- Old: ---- rfc3986-1.3.2.tar.gz New: ---- rfc3986-1.4.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-rfc3986.spec ++++++ --- /var/tmp/diff_new_pack.vukczo/_old 2020-04-18 00:26:51.545608603 +0200 +++ /var/tmp/diff_new_pack.vukczo/_new 2020-04-18 00:26:51.549608611 +0200 @@ -1,7 +1,7 @@ # # spec file for package python-rfc3986 # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-rfc3986 -Version: 1.3.2 +Version: 1.4.0 Release: 0 Summary: Python module for validating URI references per RFC 3986 License: Apache-2.0 @@ -28,10 +28,10 @@ BuildRequires: %{python_module setuptools} BuildRequires: fdupes BuildRequires: python-rpm-macros +BuildArch: noarch # SECTION test requirements BuildRequires: %{python_module pytest} # /SECTION -BuildArch: noarch %python_subpackages %description ++++++ rfc3986-1.3.2.tar.gz -> rfc3986-1.4.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rfc3986-1.3.2/PKG-INFO new/rfc3986-1.4.0/PKG-INFO --- old/rfc3986-1.3.2/PKG-INFO 2019-05-13 17:58:07.000000000 +0200 +++ new/rfc3986-1.4.0/PKG-INFO 2020-04-08 01:26:57.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: rfc3986 -Version: 1.3.2 +Version: 1.4.0 Summary: Validating URI References per RFC 3986 Home-page: http://rfc3986.readthedocs.io Author: Ian Stapleton Cordasco diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rfc3986-1.3.2/docs/source/api-ref/builder.rst new/rfc3986-1.4.0/docs/source/api-ref/builder.rst --- old/rfc3986-1.3.2/docs/source/api-ref/builder.rst 2019-05-13 17:56:16.000000000 +0200 +++ new/rfc3986-1.4.0/docs/source/api-ref/builder.rst 2020-04-08 01:00:47.000000000 +0200 @@ -4,6 +4,8 @@ .. autoclass:: rfc3986.builder.URIBuilder +.. automethod:: rfc3986.builder.URIBuilder.from_uri + .. automethod:: rfc3986.builder.URIBuilder.add_scheme .. automethod:: rfc3986.builder.URIBuilder.add_credentials diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rfc3986-1.3.2/docs/source/release-notes/1.4.0.rst new/rfc3986-1.4.0/docs/source/release-notes/1.4.0.rst --- old/rfc3986-1.3.2/docs/source/release-notes/1.4.0.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/rfc3986-1.4.0/docs/source/release-notes/1.4.0.rst 2020-04-08 01:26:38.000000000 +0200 @@ -0,0 +1,39 @@ +1.3.0 -- 2020-04-07 +------------------- + +Security +~~~~~~~~ + +- Prevent users from receiving an invalid authority parsed from a malicious + URL. Previously we did not stop parsing the authority section at the first + backslash (``\\``) character. As a result, it was possible to trick our + parser into parsing up to the first forward-slash (``/``) and thus + generating an invalid authority. + + See also `GitHub pr-64`_ and `the blog post that sparked this change`_ + +Bug Fixes and Features +~~~~~~~~~~~~~~~~~~~~~~ + +- Add ``from_uri`` to ``URIBuilder`` to allow creation of a ``URIBuilder`` + from an existing URI. + + See also `GitHub pr-63`_ + +- Fix a typographical error in our documentation. + + See also `GitHub pr-61`_ + +.. links + +.. _GitHub pr-61: + https://github.com/python-hyper/rfc3986/pull/61 + +.. _GitHub pr-63: + https://github.com/python-hyper/rfc3986/pull/63 + +.. _GitHub pr-64: + https://github.com/python-hyper/rfc3986/pull/64 + +.. _the blog post that sparked this change: + https://bugs.xdavidhu.me/google/2020/03/08/the-unexpected-google-wide-domain-check-bypass/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rfc3986-1.3.2/docs/source/release-notes/index.rst new/rfc3986-1.4.0/docs/source/release-notes/index.rst --- old/rfc3986-1.3.2/docs/source/release-notes/index.rst 2019-05-13 17:56:16.000000000 +0200 +++ new/rfc3986-1.4.0/docs/source/release-notes/index.rst 2020-04-08 01:26:38.000000000 +0200 @@ -10,6 +10,7 @@ .. toctree:: + 1.4.0 1.3.2 1.3.1 1.3.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rfc3986-1.3.2/docs/source/user/building.rst new/rfc3986-1.4.0/docs/source/user/building.rst --- old/rfc3986-1.3.2/docs/source/user/building.rst 2019-05-13 17:56:16.000000000 +0200 +++ new/rfc3986-1.4.0/docs/source/user/building.rst 2020-04-08 01:00:47.000000000 +0200 @@ -42,6 +42,17 @@ ... ).finalize().unsplit()) https://github.com +It is possible to update an existing URI by constructing a builder from an +instance of :class:`~rfc3986.uri.URIReference` or a textual representation: + +.. doctest:: + + >>> from rfc3986 import builder + >>> print(builder.URIBuilder.from_uri("http://github.com";).add_scheme( + ... 'https' + ... ).finalize().unsplit()) + https://github.com + Each time you invoke a method, you get a new instance of a :class:`~rfc3986.builder.URIBuilder` class so you can build several different URLs from one base instance. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rfc3986-1.3.2/src/rfc3986/__init__.py new/rfc3986-1.4.0/src/rfc3986/__init__.py --- old/rfc3986-1.3.2/src/rfc3986/__init__.py 2019-05-13 17:56:16.000000000 +0200 +++ new/rfc3986-1.4.0/src/rfc3986/__init__.py 2020-04-08 01:26:38.000000000 +0200 @@ -35,8 +35,8 @@ __author__ = 'Ian Stapleton Cordasco' __author_email__ = '[email protected]' __license__ = 'Apache v2.0' -__copyright__ = 'Copyright 2014 Rackspace' -__version__ = '1.3.2' +__copyright__ = 'Copyright 2014 Rackspace; 2016 Ian Stapleton Cordasco' +__version__ = '1.4.0' __all__ = ( 'ParseResult', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rfc3986-1.3.2/src/rfc3986/abnf_regexp.py new/rfc3986-1.4.0/src/rfc3986/abnf_regexp.py --- old/rfc3986-1.3.2/src/rfc3986/abnf_regexp.py 2019-05-13 17:56:16.000000000 +0200 +++ new/rfc3986-1.4.0/src/rfc3986/abnf_regexp.py 2020-04-08 01:00:47.000000000 +0200 @@ -41,7 +41,7 @@ # than appear in Appendix B for scheme. This will prevent over-eager # consuming of items that aren't schemes. SCHEME_RE = '[a-zA-Z][a-zA-Z0-9+.-]*' -_AUTHORITY_RE = '[^/?#]*' +_AUTHORITY_RE = '[^\\\\/?#]*' _PATH_RE = '[^?#]*' _QUERY_RE = '[^#]*' _FRAGMENT_RE = '.*' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rfc3986-1.3.2/src/rfc3986/builder.py new/rfc3986-1.4.0/src/rfc3986/builder.py --- old/rfc3986-1.3.2/src/rfc3986/builder.py 2019-05-13 17:56:16.000000000 +0200 +++ new/rfc3986-1.4.0/src/rfc3986/builder.py 2020-04-08 01:00:47.000000000 +0200 @@ -16,6 +16,7 @@ from . import compat from . import normalizers from . import uri +from . import uri_reference class URIBuilder(object): @@ -63,6 +64,26 @@ 'query={b.query}, fragment={b.fragment})') return formatstr.format(b=self) + @classmethod + def from_uri(cls, reference): + """Initialize the URI builder from another URI. + + Takes the given URI reference and creates a new URI builder instance + populated with the values from the reference. If given a string it will + try to convert it to a reference before constructing the builder. + """ + if not isinstance(reference, uri.URIReference): + reference = uri_reference(reference) + return cls( + scheme=reference.scheme, + userinfo=reference.userinfo, + host=reference.host, + port=reference.port, + path=reference.path, + query=reference.query, + fragment=reference.fragment + ) + def add_scheme(self, scheme): """Add a scheme to our builder object. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rfc3986-1.3.2/src/rfc3986/uri.py new/rfc3986-1.4.0/src/rfc3986/uri.py --- old/rfc3986-1.3.2/src/rfc3986/uri.py 2019-05-13 17:56:16.000000000 +0200 +++ new/rfc3986-1.4.0/src/rfc3986/uri.py 2020-04-08 01:00:47.000000000 +0200 @@ -73,7 +73,7 @@ .. attribute:: host - The hostname, IPv4, or IPv6 adddres parsed from the authority. + The hostname, IPv4, or IPv6 address parsed from the authority. .. attribute:: port diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rfc3986-1.3.2/src/rfc3986.egg-info/PKG-INFO new/rfc3986-1.4.0/src/rfc3986.egg-info/PKG-INFO --- old/rfc3986-1.3.2/src/rfc3986.egg-info/PKG-INFO 2019-05-13 17:58:07.000000000 +0200 +++ new/rfc3986-1.4.0/src/rfc3986.egg-info/PKG-INFO 2020-04-08 01:26:57.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: rfc3986 -Version: 1.3.2 +Version: 1.4.0 Summary: Validating URI References per RFC 3986 Home-page: http://rfc3986.readthedocs.io Author: Ian Stapleton Cordasco diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rfc3986-1.3.2/src/rfc3986.egg-info/SOURCES.txt new/rfc3986-1.4.0/src/rfc3986.egg-info/SOURCES.txt --- old/rfc3986-1.3.2/src/rfc3986.egg-info/SOURCES.txt 2019-05-13 17:58:07.000000000 +0200 +++ new/rfc3986-1.4.0/src/rfc3986.egg-info/SOURCES.txt 2020-04-08 01:26:57.000000000 +0200 @@ -29,6 +29,7 @@ docs/source/release-notes/1.3.0.rst docs/source/release-notes/1.3.1.rst docs/source/release-notes/1.3.2.rst +docs/source/release-notes/1.4.0.rst docs/source/release-notes/index.rst docs/source/user/building.rst docs/source/user/parsing.rst diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rfc3986-1.3.2/tests/test_builder.py new/rfc3986-1.4.0/tests/test_builder.py --- old/rfc3986-1.3.2/tests/test_builder.py 2019-05-13 17:56:16.000000000 +0200 +++ new/rfc3986-1.4.0/tests/test_builder.py 2020-04-08 01:00:47.000000000 +0200 @@ -15,7 +15,7 @@ """Module containing the tests for the URIBuilder object.""" import pytest -from rfc3986 import builder +from rfc3986 import builder, uri_reference def test_builder_default(): @@ -29,6 +29,29 @@ assert uribuilder.query is None assert uribuilder.fragment is None + +def test_from_uri_reference(): + uri = uri_reference("http://foo.bar:1234/baz";) + uribuilder = builder.URIBuilder().from_uri(uri) + assert uribuilder.scheme == 'http' + assert uribuilder.userinfo is None + assert uribuilder.host == 'foo.bar' + assert uribuilder.port == '1234' + assert uribuilder.path == '/baz' + assert uribuilder.query is None + assert uribuilder.fragment is None + + +def test_from_uri_string(): + uribuilder = builder.URIBuilder().from_uri("https://bar.foo:4321/boom";) + assert uribuilder.scheme == 'https' + assert uribuilder.userinfo is None + assert uribuilder.host == 'bar.foo' + assert uribuilder.port == '4321' + assert uribuilder.path == '/boom' + assert uribuilder.query is None + assert uribuilder.fragment is None + def test_repr(): """Verify our repr looks like our class.""" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rfc3986-1.3.2/tests/test_uri.py new/rfc3986-1.4.0/tests/test_uri.py --- old/rfc3986-1.3.2/tests/test_uri.py 2019-05-13 17:56:16.000000000 +0200 +++ new/rfc3986-1.4.0/tests/test_uri.py 2020-04-08 01:00:47.000000000 +0200 @@ -351,3 +351,15 @@ ref = URIReference.from_string(url) assert ref.query == '' assert ref.unsplit() == url + + +def test_wide_domain_bypass_check(): + """Verify we properly parse/handle the authority. + + See also: + https://bugs.xdavidhu.me/google/2020/03/08/the-unexpected-google-wide-domain-check-bypass/ + """ + url = "https://user:[email protected]\\test.corp.google.com:8080/path/to/something?param=value#hash"; + ref = URIReference.from_string(url) + assert ref.scheme == "https" + assert ref.host == "xdavidhu.me"
