1From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001 2From: "Miss Islington (bot)" 3 <31488909+miss-islington@users.noreply.github.com> 4Date: Sun, 13 Nov 2022 11:00:25 -0800 5Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme 6 must begin with an alphabetical ASCII character. (GH-99421) 7 8Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character. 9 10RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )` 11RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A` 12 13The WHATWG URL spec defines a scheme like this: 14`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."` 15(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7) 16 17Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com> 18--- end original header --- 19 20CVE: CVE-2023-24329 21 22Upstream-Status: Backport [see below] 23 24Taken from https://github.com/python/cpython.git 25commit 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 26 27CVE fix extracted; test case and update to NEWS abandoned. 28Defuzzed. 29 30Signed-off-by: Joe Slater <joe.slater@windriver.com> 31--- 32 Lib/urllib/parse.py | 2 +- 33 1 file changed, 1 insertion(+), 1 deletion(-) 34 35diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py 36index 26ddf30..1c53acb 100644 37--- a/Lib/urllib/parse.py 38+++ b/Lib/urllib/parse.py 39@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragments=True): 40 clear_cache() 41 netloc = query = fragment = '' 42 i = url.find(':') 43- if i > 0: 44+ if i > 0 and url[0].isascii() and url[0].isalpha(): 45 for c in url[:i]: 46 if c not in scheme_chars: 47 break 48-- 492.25.1 50 51