head 1.2; access; symbols pkgsrc-2026Q1:1.2.0.34 pkgsrc-2026Q1-base:1.2 pkgsrc-2025Q4:1.2.0.32 pkgsrc-2025Q4-base:1.2 pkgsrc-2025Q3:1.2.0.30 pkgsrc-2025Q3-base:1.2 pkgsrc-2025Q2:1.2.0.28 pkgsrc-2025Q2-base:1.2 pkgsrc-2025Q1:1.2.0.26 pkgsrc-2025Q1-base:1.2 pkgsrc-2024Q4:1.2.0.24 pkgsrc-2024Q4-base:1.2 pkgsrc-2024Q3:1.2.0.22 pkgsrc-2024Q3-base:1.2 pkgsrc-2024Q2:1.2.0.20 pkgsrc-2024Q2-base:1.2 pkgsrc-2024Q1:1.2.0.18 pkgsrc-2024Q1-base:1.2 pkgsrc-2023Q4:1.2.0.16 pkgsrc-2023Q4-base:1.2 pkgsrc-2023Q3:1.2.0.14 pkgsrc-2023Q3-base:1.2 pkgsrc-2023Q2:1.2.0.12 pkgsrc-2023Q2-base:1.2 pkgsrc-2023Q1:1.2.0.10 pkgsrc-2023Q1-base:1.2 pkgsrc-2022Q4:1.2.0.8 pkgsrc-2022Q4-base:1.2 pkgsrc-2022Q3:1.2.0.6 pkgsrc-2022Q3-base:1.2 pkgsrc-2022Q2:1.2.0.4 pkgsrc-2022Q2-base:1.2 pkgsrc-2022Q1:1.2.0.2 pkgsrc-2022Q1-base:1.2 pkgsrc-2021Q4:1.1.0.4 pkgsrc-2021Q4-base:1.1 pkgsrc-2021Q3:1.1.0.2; locks; strict; comment @# @; 1.2 date 2022.02.25.22.41.32; author gutteridge; state Exp; branches; next 1.1; commitid FXDIYdHVh9lvd3uD; 1.1 date 2021.10.10.03.00.59; author gutteridge; state Exp; branches 1.1.2.1 1.1.4.1; next ; commitid 9ljVlIyHdtvaadcD; 1.1.2.1 date 2021.10.10.03.00.59; author tm; state dead; branches; next 1.1.2.2; commitid mvFnfUhuwmaU3HcD; 1.1.2.2 date 2021.10.13.21.04.01; author tm; state Exp; branches; next ; commitid mvFnfUhuwmaU3HcD; 1.1.4.1 date 2022.03.03.19.33.58; author bsiegert; state Exp; branches; next ; commitid efuiTAYA57P12OuD; desc @@ 1.2 log @python27: fix two security issues Addresses CVE-2021-4189 and CVE-2022-0391. Patches sourced via Fedora. @ text @$NetBSD: patch-Doc_library_urlparse.rst,v 1.1 2021/10/10 03:00:59 gutteridge Exp $ Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default Via Fedora: https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336.patch Fix CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs Via Fedora: https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00377-CVE-2022-0391.patch --- Doc/library/urlparse.rst.orig 2020-04-19 21:13:39.000000000 +0000 +++ Doc/library/urlparse.rst @@@@ -125,6 +125,9 @@@@ The :mod:`urlparse` module defines the f decomposed before parsing, or is not a Unicode string, no error will be raised. + Following the `WHATWG spec`_ that updates RFC 3986, ASCII newline + ``\n``, ``\r`` and tab ``\t`` characters are stripped from the URL. + .. versionchanged:: 2.5 Added attributes to return value. @@@@ -136,7 +139,7 @@@@ The :mod:`urlparse` module defines the f now raise :exc:`ValueError`. -.. function:: parse_qs(qs[, keep_blank_values[, strict_parsing[, max_num_fields]]]) +.. function:: parse_qs(qs[, keep_blank_values[, strict_parsing[, max_num_fields[, separator]]]]) Parse a query string given as a string argument (data of type :mimetype:`application/x-www-form-urlencoded`). Data are returned as a @@@@ -157,6 +160,15 @@@@ The :mod:`urlparse` module defines the f read. If set, then throws a :exc:`ValueError` if there are more than *max_num_fields* fields read. + The optional argument *separator* is the symbol to use for separating the + query arguments. It is recommended to set it to ``'&'`` or ``';'``. + It defaults to ``'&'``; a warning is raised if this default is used. + This default may be changed with the following environment variable settings: + + - ``PYTHON_URLLIB_QS_SEPARATOR='&'``: use only ``&`` as separator, without warning (as in Python 3.6.13+ or 3.10) + - ``PYTHON_URLLIB_QS_SEPARATOR=';'``: use only ``;`` as separator + - ``PYTHON_URLLIB_QS_SEPARATOR=legacy``: use both ``&`` and ``;`` (as in previous versions of Python) + Use the :func:`urllib.urlencode` function to convert such dictionaries into query strings. @@@@ -186,6 +198,9 @@@@ The :mod:`urlparse` module defines the f read. If set, then throws a :exc:`ValueError` if there are more than *max_num_fields* fields read. + The optional argument *separator* is the symbol to use for separating the + query arguments. It works as in :py:func:`parse_qs`. + Use the :func:`urllib.urlencode` function to convert such lists of pairs into query strings. @@@@ -195,6 +210,7 @@@@ The :mod:`urlparse` module defines the f .. versionchanged:: 2.7.16 Added *max_num_fields* parameter. + .. function:: urlunparse(parts) Construct a URL from a tuple as returned by ``urlparse()``. The *parts* argument @@@@ -308,6 +324,10 @@@@ The :mod:`urlparse` module defines the f .. seealso:: + `WHATWG`_ - URL Living standard + Working Group for the URL Standard that defines URLs, domains, IP addresses, the + application/x-www-form-urlencoded format, and their API. + :rfc:`3986` - Uniform Resource Identifiers This is the current standard (STD66). Any changes to urlparse module should conform to this. Certain deviations could be observed, which are @@@@ -332,6 +352,7 @@@@ The :mod:`urlparse` module defines the f :rfc:`1738` - Uniform Resource Locators (URL) This specifies the formal syntax and semantics of absolute URLs. +.. _WHATWG: https://url.spec.whatwg.org/ .. _urlparse-result-object: @ 1.1 log @python27: fix various security issues Addresses CVE-2020-27619, CVE-2021-3177, CVE-2021-3733, CVE-2021-3737 and CVE-2021-23336. Patches mostly sourced via Fedora. @ text @d1 1 a1 1 $NetBSD$ d7 4 d13 11 a23 1 @@@@ -136,7 +136,7 @@@@ The :mod:`urlparse` module defines the f d32 1 a32 1 @@@@ -157,6 +157,15 @@@@ The :mod:`urlparse` module defines the f d48 1 a48 1 @@@@ -186,6 +195,9 @@@@ The :mod:`urlparse` module defines the f d58 1 a58 1 @@@@ -195,6 +207,7 @@@@ The :mod:`urlparse` module defines the f d66 19 @ 1.1.4.1 log @Pullup ticket #6595 - requested by gutteridge lang/python27: security fix (CVE-2021-4189, CVE-2022-0391) Revisions pulled up: - lang/python27/Makefile 1.99 - lang/python27/distinfo 1.89 - lang/python27/patches/patch-Doc_library_urlparse.rst 1.2 - lang/python27/patches/patch-Lib_ftplib.py 1.1 - lang/python27/patches/patch-Lib_test_test__ftplib.py 1.1 - lang/python27/patches/patch-Lib_test_test__urlparse.py 1.2 - lang/python27/patches/patch-Lib_urlparse.py 1.3 --- Module Name: pkgsrc Committed By: gutteridge Date: Fri Feb 25 22:41:32 UTC 2022 Modified Files: pkgsrc/lang/python27: Makefile distinfo pkgsrc/lang/python27/patches: patch-Doc_library_urlparse.rst patch-Lib_test_test__urlparse.py patch-Lib_urlparse.py Added Files: pkgsrc/lang/python27/patches: patch-Lib_ftplib.py patch-Lib_test_test__ftplib.py Log Message: python27: fix two security issues Addresses CVE-2021-4189 and CVE-2022-0391. Patches sourced via Fedora. @ text @a6 4 Fix CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs Via Fedora: https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00377-CVE-2022-0391.patch d9 1 a9 11 @@@@ -125,6 +125,9 @@@@ The :mod:`urlparse` module defines the f decomposed before parsing, or is not a Unicode string, no error will be raised. + Following the `WHATWG spec`_ that updates RFC 3986, ASCII newline + ``\n``, ``\r`` and tab ``\t`` characters are stripped from the URL. + .. versionchanged:: 2.5 Added attributes to return value. @@@@ -136,7 +139,7 @@@@ The :mod:`urlparse` module defines the f d18 1 a18 1 @@@@ -157,6 +160,15 @@@@ The :mod:`urlparse` module defines the f d34 1 a34 1 @@@@ -186,6 +198,9 @@@@ The :mod:`urlparse` module defines the f d44 1 a44 1 @@@@ -195,6 +210,7 @@@@ The :mod:`urlparse` module defines the f a51 19 @@@@ -308,6 +324,10 @@@@ The :mod:`urlparse` module defines the f .. seealso:: + `WHATWG`_ - URL Living standard + Working Group for the URL Standard that defines URLs, domains, IP addresses, the + application/x-www-form-urlencoded format, and their API. + :rfc:`3986` - Uniform Resource Identifiers This is the current standard (STD66). Any changes to urlparse module should conform to this. Certain deviations could be observed, which are @@@@ -332,6 +352,7 @@@@ The :mod:`urlparse` module defines the f :rfc:`1738` - Uniform Resource Locators (URL) This specifies the formal syntax and semantics of absolute URLs. +.. _WHATWG: https://url.spec.whatwg.org/ .. _urlparse-result-object: @ 1.1.2.1 log @file patch-Doc_library_urlparse.rst was added on branch pkgsrc-2021Q3 on 2021-10-13 21:04:01 +0000 @ text @d1 51 @ 1.1.2.2 log @Pullup ticket #6513 - requested by gutteridge lang/python27: security fix Revisions pulled up: - lang/python27/Makefile 1.94 - lang/python27/distinfo 1.85 - lang/python27/patches/patch-Doc_library_cgi.rst 1.1 - lang/python27/patches/patch-Doc_library_urlparse.rst 1.1 - lang/python27/patches/patch-Lib_cgi.py 1.1 - lang/python27/patches/patch-Lib_ctypes_test_test__parameters.py 1.1 - lang/python27/patches/patch-Lib_httplib.py 1.4 - lang/python27/patches/patch-Lib_test_multibytecodec__support.py 1.1 - lang/python27/patches/patch-Lib_test_test__cgi.py 1.1 - lang/python27/patches/patch-Lib_test_test__httplib.py 1.4 - lang/python27/patches/patch-Lib_test_test__urlparse.py 1.1 - lang/python27/patches/patch-Lib_urllib2.py 1.3 - lang/python27/patches/patch-Lib_urlparse.py 1.1 - lang/python27/patches/patch-Modules___ctypes_callproc.c 1.2 --- Module Name: pkgsrc Committed By: gutteridge Date: Sun Oct 10 03:00:59 UTC 2021 Modified Files: pkgsrc/lang/python27: Makefile distinfo pkgsrc/lang/python27/patches: patch-Lib_httplib.py patch-Lib_test_test__httplib.py patch-Lib_urllib2.py patch-Modules___ctypes_callproc.c Added Files: pkgsrc/lang/python27/patches: patch-Doc_library_cgi.rst patch-Doc_library_urlparse.rst patch-Lib_cgi.py patch-Lib_ctypes_test_test__parameters.py patch-Lib_test_multibytecodec__support.py patch-Lib_test_test__cgi.py patch-Lib_test_test__urlparse.py patch-Lib_urlparse.py Log Message: python27: fix various security issues Addresses CVE-2020-27619, CVE-2021-3177, CVE-2021-3733, CVE-2021-3737 and CVE-2021-23336. Patches mostly sourced via Fedora. @ text @a0 51 $NetBSD: patch-Doc_library_urlparse.rst,v 1.1 2021/10/10 03:00:59 gutteridge Exp $ Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default Via Fedora: https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336.patch --- Doc/library/urlparse.rst.orig 2020-04-19 21:13:39.000000000 +0000 +++ Doc/library/urlparse.rst @@@@ -136,7 +136,7 @@@@ The :mod:`urlparse` module defines the f now raise :exc:`ValueError`. -.. function:: parse_qs(qs[, keep_blank_values[, strict_parsing[, max_num_fields]]]) +.. function:: parse_qs(qs[, keep_blank_values[, strict_parsing[, max_num_fields[, separator]]]]) Parse a query string given as a string argument (data of type :mimetype:`application/x-www-form-urlencoded`). Data are returned as a @@@@ -157,6 +157,15 @@@@ The :mod:`urlparse` module defines the f read. If set, then throws a :exc:`ValueError` if there are more than *max_num_fields* fields read. + The optional argument *separator* is the symbol to use for separating the + query arguments. It is recommended to set it to ``'&'`` or ``';'``. + It defaults to ``'&'``; a warning is raised if this default is used. + This default may be changed with the following environment variable settings: + + - ``PYTHON_URLLIB_QS_SEPARATOR='&'``: use only ``&`` as separator, without warning (as in Python 3.6.13+ or 3.10) + - ``PYTHON_URLLIB_QS_SEPARATOR=';'``: use only ``;`` as separator + - ``PYTHON_URLLIB_QS_SEPARATOR=legacy``: use both ``&`` and ``;`` (as in previous versions of Python) + Use the :func:`urllib.urlencode` function to convert such dictionaries into query strings. @@@@ -186,6 +195,9 @@@@ The :mod:`urlparse` module defines the f read. If set, then throws a :exc:`ValueError` if there are more than *max_num_fields* fields read. + The optional argument *separator* is the symbol to use for separating the + query arguments. It works as in :py:func:`parse_qs`. + Use the :func:`urllib.urlencode` function to convert such lists of pairs into query strings. @@@@ -195,6 +207,7 @@@@ The :mod:`urlparse` module defines the f .. versionchanged:: 2.7.16 Added *max_num_fields* parameter. + .. function:: urlunparse(parts) Construct a URL from a tuple as returned by ``urlparse()``. The *parts* argument @