gh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format #103849
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
All commit authors signed the Contributor License Agreement. |
JohnJamesUtley
force-pushed
the
fix-issue-using-ipmodule
branch
from
f840480 to
df34308
Compare
|
Most changes to Python require a NEWS entry. Please add it using the blurb_it web app or the blurb command-line tool. |
…Pv6 or IPvFuture format
JohnJamesUtley
force-pushed
the
fix-issue-using-ipmodule
branch
from
f33126b to
37bc08c
Compare
gpshead
requested changes
May 9, 2023
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
…kets, adds comments, and a new test
|
I have made the requested changes; please review again You're correct that |
|
Thanks for making the requested changes! @gpshead: please review the changes made to this pull request. |
gpshead
approved these changes
May 9, 2023
gpshead
added
type-bug
|
Thanks @JohnJamesUtley for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.11. |
|
GH-104349 is a backport of this pull request to the 3.11 branch. |
gpshead
pushed a commit
to gpshead/cpython
that referenced
this pull request
May 10, 2023
…und by urlsplit are of IPv6 or IPvFuture format (pythonGH-103849) * Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format --------- Co-authored-by: Gregory P. Smith <[email protected]> (cherry picked from commit 29f348e) Co-authored-by: JohnJamesUtley <[email protected]>
gpshead
added a commit
that referenced
this pull request
May 10, 2023
… urlsplit are of IPv6 or IPvFuture format (GH-103849) (#104349) gh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format (GH-103849) * Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format --------- (cherry picked from commit 29f348e) Co-authored-by: JohnJamesUtley <[email protected]> Co-authored-by: Gregory P. Smith <[email protected]>
carljm
added a commit
to carljm/cpython
that referenced
this pull request
May 10, 2023
* main: pythonGH-102181: Improve specialization stats for SEND (pythonGH-102182) pythongh-103000: Optimise `dataclasses.asdict` for the common case (python#104364) pythongh-103538: Remove unused TK_AQUA code (pythonGH-103539) pythonGH-87695: Fix OSError from `pathlib.Path.glob()` (pythonGH-104292) pythongh-104263: Rely on Py_NAN and introduce Py_INFINITY (pythonGH-104202) pythongh-104010: Separate and improve docs for `typing.get_origin` and `typing.get_args` (python#104013) pythongh-101819: Adapt _io._BufferedIOBase_Type methods to Argument Clinic (python#104355) pythongh-103960: Dark mode: invert image brightness (python#103983) pythongh-104252: Immortalize Py_EMPTY_KEYS (pythongh-104253) pythongh-101819: Clean up _io windows console io after pythongh-104197 (python#104354) pythongh-101819: Harden _io init (python#104352) pythongh-103247: clear the module cache in a test in test_importlib/extensions/test_loader.py (pythonGH-104226) pythongh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format (python#103849) pythongh-74895: adjust tests to work on Solaris (python#104326) pythongh-101819: Refactor _io in preparation for module isolation (python#104334) pythongh-90953: Don't use deprecated AST nodes in clinic.py (python#104322) pythongh-102327: Extend docs for "url" and "headers" parameters to HTTPConnection.request() pythongh-104328: Fix typo in ``typing.Generic`` multiple inheritance error message (python#104335)
frenzymadness
pushed a commit
to frenzymadness/cpython
that referenced
this pull request
Nov 13, 2024
…und by urlsplit are of IPv6 or IPvFuture format (pythonGH-103849) (python#104349) pythongh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format (pythonGH-103849) * Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format --------- (cherry picked from commit 29f348e) Co-authored-by: JohnJamesUtley <[email protected]> Co-authored-by: Gregory P. Smith <[email protected]>
frenzymadness
added a commit
to frenzymadness/cpython
that referenced
this pull request
Nov 14, 2024
…und by urlsplit are of IPv6 or IPvFuture format (pythonGH-103849) (python#104349) pythongh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format (pythonGH-103849) * Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format Tests are adjusted because Python <3.9 don't support scoped IPv6 addresses. (cherry picked from commit 29f348e) Co-authored-by: JohnJamesUtley <[email protected]> Co-authored-by: Gregory P. Smith <[email protected]> Co-authored-by: Lumír Balhar <[email protected]>
frenzymadness
added a commit
to frenzymadness/cpython
that referenced
this pull request
Nov 14, 2024
pythongh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format (pythonGH-103849) Tests are adjusted because Python <3.9 don't support scoped IPv6 addresses. (cherry picked from commit 29f348e) Co-authored-by: JohnJamesUtley <[email protected]> Co-authored-by: Gregory P. Smith <[email protected]> Co-authored-by: Lumír Balhar <[email protected]>
frenzymadness
added a commit
to fedora-python/cpython
that referenced
this pull request
Nov 14, 2024
pythongh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format (pythonGH-103849) Tests are adjusted because Python <3.9 don't support scoped IPv6 addresses. (cherry picked from commit 29f348e) Co-authored-by: JohnJamesUtley <[email protected]> Co-authored-by: Gregory P. Smith <[email protected]> Co-authored-by: Lumír Balhar <[email protected]>
This was referenced Nov 15, 2024
vstinner
pushed a commit
to vstinner/cpython
that referenced
this pull request
Nov 18, 2024
…urlsplit are of IPv6 or IPvFuture format (python#103849) * Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format --------- Co-authored-by: Gregory P. Smith <[email protected]> (cherry picked from commit 29f348e)
|
GH-126975 is a backport of this pull request to the 3.10 branch. |
vstinner
pushed a commit
to vstinner/cpython
that referenced
this pull request
Nov 18, 2024
…urlsplit are of IPv6 or IPvFuture format (python#103849) * Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format --------- Co-authored-by: Gregory P. Smith <[email protected]> (cherry picked from commit 29f348e)
|
GH-126976 is a backport of this pull request to the 3.9 branch. |
|
Hi @miss-islington and @gpshead - how do I ensure I'm using a version of Python with this vulnerability fixed? I'm supporting a team that uses hardened containers from Iron Bank and I don't believe the approved containers will get the back port updates. Since 3.11 is the newest version mentioned here for a back port, does the initial release of 3.12 include this fix? |
The release date of Pyton3.12 is 2023-10, so of course, 3.12 contains this patch. BTW miss-islington is a bot for PR. 😉 |
felixxm
added a commit
to felixxm/django
that referenced
this pull request
Dec 1, 2024
…vFuture addresses. Refs Python CVE-2024-11168. Django should not affected, but others who incorrectly use internal function url_has_allowed_host_and_scheme() with unsanitized input could be at risk. python/cpython#103849
felixxm
added a commit
to felixxm/django
that referenced
this pull request
Dec 1, 2024
…ly validate IPv6 and IPvFuture addresses. Refs Python CVE-2024-11168. Django should not affected, but others who incorrectly use internal function url_has_allowed_host_and_scheme() with unsanitized input could be at risk. python/cpython#103849
felixxm
added a commit
to felixxm/django
that referenced
this pull request
Dec 1, 2024
…ly validate IPv6 and IPvFuture addresses. Refs Python CVE-2024-11168. Django should not affected, but others who incorrectly use internal function url_has_allowed_host_and_scheme() with unsanitized input could be at risk. python/cpython#103849
felixxm
added a commit
to felixxm/django
that referenced
this pull request
Dec 1, 2024
…ly validate IPv6 and IPvFuture addresses. Refs Python CVE-2024-11168. Django should not affected, but others who incorrectly use internal function _urlsplit() with unsanitized input could be at risk. python/cpython#103849
felixxm
added a commit
to felixxm/django
that referenced
this pull request
Dec 1, 2024
…ly validate IPv6 and IPvFuture addresses. Refs Python CVE-2024-11168. Django should not affected, but others who incorrectly use internal function _urlsplit() with unsanitized input could be at risk. python/cpython#103849
ambv
pushed a commit
that referenced
this pull request
Dec 2, 2024
…urlsplit are of IPv6 or IPvFuture format (#103849) (#126976) Co-authored-by: Gregory P. Smith <[email protected]> (cherry picked from commit 29f348e) Co-authored-by: JohnJamesUtley <[email protected]>
ambv
pushed a commit
that referenced
this pull request
Dec 2, 2024
… urlsplit are of IPv6 or IPvFuture format (#103849) (#126975) Co-authored-by: Gregory P. Smith <[email protected]> (cherry picked from commit 29f348e) Co-authored-by: JohnJamesUtley <[email protected]>
felixxm
added a commit
to felixxm/django
that referenced
this pull request
Dec 2, 2024
…ly validate IPv6 and IPvFuture addresses. Refs Python CVE-2024-11168. Django should not affected, but others who incorrectly use internal function _urlsplit() with unsanitized input could be at risk. python/cpython#103849
sarahboyce
pushed a commit
to felixxm/django
that referenced
this pull request
Dec 3, 2024
…ly validate IPv6 and IPvFuture addresses. Refs Python CVE-2024-11168. Django should not affected, but others who incorrectly use internal function _urlsplit() with unsanitized input could be at risk. python/cpython#103849
sarahboyce
pushed a commit
to django/django
that referenced
this pull request
Dec 3, 2024
…ly validate IPv6 and IPvFuture addresses. Refs Python CVE-2024-11168. Django should not affected, but others who incorrectly use internal function _urlsplit() with unsanitized input could be at risk. python/cpython#103849
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addresses #103848