Commit5b4b64c

authored

Add more tests to prevent regression of CVE 2024 47081

Remove workaround not needed since py38 for os.path.expanduser.

1 parent7bc4587 commit5b4b64cCopy full SHA for 5b4b64c

File tree

+20

-8

lines changed

+20

-8

lines changed

Lines changed: 1 addition & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -219,14 +219,7 @@ def get_netrc_auth(url, raise_errors=False):`
`219`	`219`	`netrc_path=None`
`220`	`220`
`221`	`221`	`forfinnetrc_locations:`
`222`		`-try:`
`223`		`-loc=os.path.expanduser(f)`
`224`		`-exceptKeyError:`
`225`		`-# os.path.expanduser can fail when $HOME is undefined and`
`226`		`-# getpwuid fails. See https://bugs.python.org/issue20164 &`
`227`		`-# https://github.com/psf/requests/issues/1846`
`228`		`-return`
`229`		`-`
	`222`	`+loc=os.path.expanduser(f)`
`230`	`223`	`ifos.path.exists(loc):`
`231`	`224`	`netrc_path=loc`
`232`	`225`	`break`

Lines changed: 19 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@`
`23`	`23`	`get_encoding_from_headers,`
`24`	`24`	`get_encodings_from_content,`
`25`	`25`	`get_environ_proxies,`
	`26`	`+get_netrc_auth,`
`26`	`27`	`guess_filename,`
`27`	`28`	`guess_json_utf,`
`28`	`29`	`is_ipv4_address,`
`@@ -152,6 +153,24 @@ def test_super_len_with_no_matches(self):`
`152`	`153`	`assertsuper_len(object())==0`
`153`	`154`
`154`	`155`
	`156`	`+classTestGetNetrcAuth:`
	`157`	`+deftest_works(self,tmp_path,monkeypatch):`
	`158`	`+netrc_path=tmp_path/".netrc"`
	`159`	`+monkeypatch.setenv("NETRC",str(netrc_path))`
	`160`	`+withopen(netrc_path,"w")asf:`
	`161`	`+f.write("machine example.com login aaaa password bbbb\n")`
	`162`	`+auth=get_netrc_auth("http://example.com/thing")`
	`163`	`+assertauth== ("aaaa","bbbb")`
	`164`	`+`
	`165`	`+deftest_not_vulnerable_to_bad_url_parsing(self,tmp_path,monkeypatch):`
	`166`	`+netrc_path=tmp_path/".netrc"`
	`167`	`+monkeypatch.setenv("NETRC",str(netrc_path))`
	`168`	`+withopen(netrc_path,"w")asf:`
	`169`	`+f.write("machine example.com login aaaa password bbbb\n")`
	`170`	`+auth=get_netrc_auth("http://example.com:@evil.com/'")`
	`171`	`+assertauthisNone`
	`172`	`+`
	`173`	`+`
`155`	`174`	`classTestToKeyValList:`
`156`	`175`	`@pytest.mark.parametrize(`
`157`	`176`	`"value, expected",`

Comments

(0)