Pullup ticket #6595 - requested by gutteridge

lang/python27: security fix (CVE-2021-4189, CVE-2022-0391)

Revisions pulled up:
- lang/python27/Makefile                                        1.99
- lang/python27/distinfo                                        1.89
- lang/python27/patches/patch-Doc_library_urlparse.rst          1.2
- lang/python27/patches/patch-Lib_ftplib.py                     1.1
- lang/python27/patches/patch-Lib_test_test__ftplib.py          1.1
- lang/python27/patches/patch-Lib_test_test__urlparse.py        1.2
- lang/python27/patches/patch-Lib_urlparse.py                   1.3

---
   Module Name:    pkgsrc
   Committed By:   gutteridge
   Date:           Fri Feb 25 22:41:32 UTC 2022

   Modified Files:
           pkgsrc/lang/python27: Makefile distinfo
           pkgsrc/lang/python27/patches: patch-Doc_library_urlparse.rst
               patch-Lib_test_test__urlparse.py patch-Lib_urlparse.py
   Added Files:
           pkgsrc/lang/python27/patches: patch-Lib_ftplib.py
               patch-Lib_test_test__ftplib.py

   Log Message:
   python27: fix two security issues

   Addresses CVE-2021-4189 and CVE-2022-0391. Patches sourced via Fedora.

7 files changed, 235 insertions, 17 deletions

diff --git a/lang/python27/Makefile b/lang/python27/Makefile
index a3e08f60bd0..d7fbec9ec86 100644
--- a/lang/python27/Makefile
+++ b/lang/python27/Makefile
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.96 2021/12/08 16:05:22 adam Exp $
+# $NetBSD: Makefile,v 1.96.2.1 2022/03/03 19:33:58 bsiegert Exp $
 
 .include "dist.mk"
 
 PKGNAME=	python27-${PY_DISTVERSION}
-PKGREVISION=	6
+# NOTE: The nb7 update was not pulled up.
+PKGREVISION=	8
 CATEGORIES=	lang python
 
 MAINTAINER=	pkgsrc-users@NetBSD.org
diff --git a/lang/python27/distinfo b/lang/python27/distinfo
index b7b1c06e5e5..f6a607592d3 100644
--- a/lang/python27/distinfo
+++ b/lang/python27/distinfo
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.87 2021/10/27 23:58:55 gutteridge Exp $
+$NetBSD: distinfo,v 1.87.2.1 2022/03/03 19:33:58 bsiegert Exp $
 
 BLAKE2s (Python-2.7.18.tar.xz) = 1b673ec8c9362a178e044691392bc4f67ad13457d7fddd84a88de346f23f9812
 SHA512 (Python-2.7.18.tar.xz) = a7bb62b51f48ff0b6df0b18f5b0312a523e3110f49c3237936bfe56ed0e26838c0274ff5401bda6fc21bf24337477ccac49e8026c5d651e4b4cafb5eb5086f6c
 Size (Python-2.7.18.tar.xz) = 12854736 bytes
 SHA1 (patch-Doc_library_cgi.rst) = ed9ac101b0857dc573e9a648694d1ee5fabe61fb
-SHA1 (patch-Doc_library_urlparse.rst) = f9714b945a2bacb4ec5360c151a42192e00f08ad
+SHA1 (patch-Doc_library_urlparse.rst) = ceaea3a4577ba7d3055ffb3b3c8ffbbdda7e1d32
 SHA1 (patch-Include_pyerrors.h) = 0d2cd52d18cc719b895fa32ed7e11c6cb15bae54
 SHA1 (patch-Include_pyport.h) = f3e4ddbc954425a65301465410911222ca471320
 SHA1 (patch-Lib___osx__support.py) = 4389472565616b3875c699f6e3e74850d5fde712
@@ -20,6 +20,7 @@ SHA1 (patch-Lib_distutils_command_install__egg__info.py) = ec7f9e0cd04489b1f6497
 SHA1 (patch-Lib_distutils_tests_test__build__ext.py) = 6b3c8c8d1d351836b239c049d34d132953bd4786
 SHA1 (patch-Lib_distutils_unixccompiler.py) = db16c9aca2f29730945f28247b88b18828739bbb
 SHA1 (patch-Lib_distutils_util.py) = 5bcfad96f8e490351160f1a7c1f4ece7706a33fa
+SHA1 (patch-Lib_ftplib.py) = 6679c4ea109dcb5d56d86a55343954e0368b9138
 SHA1 (patch-Lib_httplib.py) = b8eeaa203e2a86ece94148d192b2a7e0c078602a
 SHA1 (patch-Lib_lib2to3_pgen2_driver.py) = 5d6dab14197f27363394ff1aeee22a8ced8026d2
 SHA1 (patch-Lib_multiprocessing_process.py) = 15699bd8ec822bf54a0631102e00e0a34f882803
@@ -28,13 +29,14 @@ SHA1 (patch-Lib_sysconfig.py) = 8a7a0e5cbfec279a05945dffafea1b1131a76f0e
 SHA1 (patch-Lib_tarfile.py) = df00aa1941367c42dcbbed4b6658b724a22ddcde
 SHA1 (patch-Lib_test_multibytecodec__support.py) = a18c40e8009f1a8f63e15196d3e751d7dccf8367
 SHA1 (patch-Lib_test_test__cgi.py) = 724355e8d2195f8a4b76d7ea61133e9b14fa3a68
+SHA1 (patch-Lib_test_test__ftplib.py) = 4b22c8a963ccf6f60ca49be003bf026e1b0b632d
 SHA1 (patch-Lib_test_test__httplib.py) = f7cfa5501a63eaca539bfa53d38cf931f3a6c3ac
 SHA1 (patch-Lib_test_test__platform.py) = 3a3b8c05f9bf9adf4862b1022ce864127d36b8b0
 SHA1 (patch-Lib_test_test__unicode.py) = 1bd182bdbd880d0a847f9d8b69277a607f9f0526
 SHA1 (patch-Lib_test_test__urllib2.py) = 89baa57daf2f3282e4fc5009915dbc4910b96ef1
-SHA1 (patch-Lib_test_test__urlparse.py) = 257cb3bf7a0e9b5e0dcb204f675959b10953ba7b
+SHA1 (patch-Lib_test_test__urlparse.py) = d98df667a34eebb994fe1d54a1decb8359df897e
 SHA1 (patch-Lib_urllib2.py) = 0cc0dc811bb9544496962e08b040b5c96fb9073c
-SHA1 (patch-Lib_urlparse.py) = 69db5325a19474113e72c1feeb895a25534412c4
+SHA1 (patch-Lib_urlparse.py) = 1f102bb85acd99a8be976f9d5b0fdb1a7abf5725
 SHA1 (patch-Mac_Tools_pythonw.c) = 2b9a60d4b349c240471fd305be69c28e0f654cdc
 SHA1 (patch-Makefile.pre.in) = ceaf34237588b527478ce1f9163c9168382fa201
 SHA1 (patch-Modules___ctypes_callbacks.c) = 8c335edfc9d2ef47988c5bdf1c3dd8473757637b
diff --git a/lang/python27/patches/patch-Doc_library_urlparse.rst b/lang/python27/patches/patch-Doc_library_urlparse.rst
index 5ac8f5801fa..3d8676ba601 100644
--- a/lang/python27/patches/patch-Doc_library_urlparse.rst
+++ b/lang/python27/patches/patch-Doc_library_urlparse.rst
@@ -1,12 +1,26 @@
-$NetBSD: patch-Doc_library_urlparse.rst,v 1.1 2021/10/10 03:00:59 gutteridge Exp $
+$NetBSD: patch-Doc_library_urlparse.rst,v 1.1.4.1 2022/03/03 19:33:58 bsiegert Exp $
 
 Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
 Via Fedora:
 https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336.patch
 
+Fix CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00377-CVE-2022-0391.patch
+
 --- Doc/library/urlparse.rst.orig	2020-04-19 21:13:39.000000000 +0000
 +++ Doc/library/urlparse.rst
-@@ -136,7 +136,7 @@ The :mod:`urlparse` module defines the f
+@@ -125,6 +125,9 @@ The :mod:`urlparse` module defines the f
+    decomposed before parsing, or is not a Unicode string, no error will be
+    raised.
+ 
++   Following the `WHATWG spec`_ that updates RFC 3986, ASCII newline
++   ``\n``, ``\r`` and tab ``\t`` characters are stripped from the URL.
++
+    .. versionchanged:: 2.5
+       Added attributes to return value.
+ 
+@@ -136,7 +139,7 @@ The :mod:`urlparse` module defines the f
        now raise :exc:`ValueError`.
  
  
@@ -15,7 +29,7 @@ https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336
  
     Parse a query string given as a string argument (data of type
     :mimetype:`application/x-www-form-urlencoded`).  Data are returned as a
-@@ -157,6 +157,15 @@ The :mod:`urlparse` module defines the f
+@@ -157,6 +160,15 @@ The :mod:`urlparse` module defines the f
     read. If set, then throws a :exc:`ValueError` if there are more than
     *max_num_fields* fields read.
  
@@ -31,7 +45,7 @@ https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336
     Use the :func:`urllib.urlencode` function to convert such dictionaries into
     query strings.
  
-@@ -186,6 +195,9 @@ The :mod:`urlparse` module defines the f
+@@ -186,6 +198,9 @@ The :mod:`urlparse` module defines the f
     read. If set, then throws a :exc:`ValueError` if there are more than
     *max_num_fields* fields read.
  
@@ -41,7 +55,7 @@ https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336
     Use the :func:`urllib.urlencode` function to convert such lists of pairs into
     query strings.
  
-@@ -195,6 +207,7 @@ The :mod:`urlparse` module defines the f
+@@ -195,6 +210,7 @@ The :mod:`urlparse` module defines the f
     .. versionchanged:: 2.7.16
        Added *max_num_fields* parameter.
  
@@ -49,3 +63,22 @@ https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336
  .. function:: urlunparse(parts)
  
     Construct a URL from a tuple as returned by ``urlparse()``. The *parts* argument
+@@ -308,6 +324,10 @@ The :mod:`urlparse` module defines the f
+ 
+ .. seealso::
+ 
++   `WHATWG`_ -  URL Living standard
++      Working Group for the URL Standard that defines URLs, domains, IP addresses, the
++      application/x-www-form-urlencoded format, and their API.
++
+    :rfc:`3986` - Uniform Resource Identifiers
+       This is the current standard (STD66). Any changes to urlparse module
+       should conform to this. Certain deviations could be observed, which are
+@@ -332,6 +352,7 @@ The :mod:`urlparse` module defines the f
+    :rfc:`1738` - Uniform Resource Locators (URL)
+       This specifies the formal syntax and semantics of absolute URLs.
+ 
++.. _WHATWG: https://url.spec.whatwg.org/
+ 
+ .. _urlparse-result-object:
+ 
diff --git a/lang/python27/patches/patch-Lib_ftplib.py b/lang/python27/patches/patch-Lib_ftplib.py
new file mode 100644
index 00000000000..70eda34f1a7
--- /dev/null
+++ b/lang/python27/patches/patch-Lib_ftplib.py
@@ -0,0 +1,32 @@
+$NetBSD: patch-Lib_ftplib.py,v 1.1.2.2 2022/03/03 19:33:58 bsiegert Exp $
+
+Fix CVE-2021-4189: ftplib should not use the host from the PASV response
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00372-CVE-2021-4189.patch
+
+--- Lib/ftplib.py.orig	2020-04-19 21:13:39.000000000 +0000
++++ Lib/ftplib.py
+@@ -108,6 +108,8 @@ class FTP:
+     file = None
+     welcome = None
+     passiveserver = 1
++    # Disables security if set to True. https://bugs.python.org/issue43285
++    trust_server_pasv_ipv4_address = False
+ 
+     # Initialization method (called by class instantiation).
+     # Initialize host to localhost, port to standard ftp port
+@@ -310,8 +312,13 @@ class FTP:
+         return sock
+ 
+     def makepasv(self):
++        """Internal: Does the PASV or EPSV handshake -> (address, port)"""
+         if self.af == socket.AF_INET:
+-            host, port = parse227(self.sendcmd('PASV'))
++            untrusted_host, port = parse227(self.sendcmd('PASV'))
++            if self.trust_server_pasv_ipv4_address:
++                host = untrusted_host
++            else:
++                host = self.sock.getpeername()[0]
+         else:
+             host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername())
+         return host, port
diff --git a/lang/python27/patches/patch-Lib_test_test__ftplib.py b/lang/python27/patches/patch-Lib_test_test__ftplib.py
new file mode 100644
index 00000000000..39c2bc51223
--- /dev/null
+++ b/lang/python27/patches/patch-Lib_test_test__ftplib.py
@@ -0,0 +1,56 @@
+$NetBSD: patch-Lib_test_test__ftplib.py,v 1.1.2.2 2022/03/03 19:33:58 bsiegert Exp $
+
+Fix CVE-2021-4189: ftplib should not use the host from the PASV response
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00372-CVE-2021-4189.patch
+
+--- Lib/test/test_ftplib.py.orig	2020-04-19 21:13:39.000000000 +0000
++++ Lib/test/test_ftplib.py
+@@ -67,6 +67,10 @@ class DummyFTPHandler(asynchat.async_cha
+         self.rest = None
+         self.next_retr_data = RETR_DATA
+         self.push('220 welcome')
++        # We use this as the string IPv4 address to direct the client
++        # to in response to a PASV command.  To test security behavior.
++        # https://bugs.python.org/issue43285/.
++        self.fake_pasv_server_ip = '252.253.254.255'
+ 
+     def collect_incoming_data(self, data):
+         self.in_buffer.append(data)
+@@ -109,7 +113,8 @@ class DummyFTPHandler(asynchat.async_cha
+         sock.bind((self.socket.getsockname()[0], 0))
+         sock.listen(5)
+         sock.settimeout(10)
+-        ip, port = sock.getsockname()[:2]
++        port = sock.getsockname()[1]
++        ip = self.fake_pasv_server_ip
+         ip = ip.replace('.', ',')
+         p1, p2 = divmod(port, 256)
+         self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2))
+@@ -577,6 +582,26 @@ class TestFTPClass(TestCase):
+         # IPv4 is in use, just make sure send_epsv has not been used
+         self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv')
+ 
++    def test_makepasv_issue43285_security_disabled(self):
++        """Test the opt-in to the old vulnerable behavior."""
++        self.client.trust_server_pasv_ipv4_address = True
++        bad_host, port = self.client.makepasv()
++        self.assertEqual(
++                bad_host, self.server.handler_instance.fake_pasv_server_ip)
++        # Opening and closing a connection keeps the dummy server happy
++        # instead of timing out on accept.
++        socket.create_connection((self.client.sock.getpeername()[0], port),
++                                 timeout=TIMEOUT).close()
++
++    def test_makepasv_issue43285_security_enabled_default(self):
++        self.assertFalse(self.client.trust_server_pasv_ipv4_address)
++        trusted_host, port = self.client.makepasv()
++        self.assertNotEqual(
++                trusted_host, self.server.handler_instance.fake_pasv_server_ip)
++        # Opening and closing a connection keeps the dummy server happy
++        # instead of timing out on accept.
++        socket.create_connection((trusted_host, port), timeout=TIMEOUT).close()
++
+     def test_line_too_long(self):
+         self.assertRaises(ftplib.Error, self.client.sendcmd,
+                           'x' * self.client.maxline * 2)
diff --git a/lang/python27/patches/patch-Lib_test_test__urlparse.py b/lang/python27/patches/patch-Lib_test_test__urlparse.py
index ebf1b8d3799..16724de2dcb 100644
--- a/lang/python27/patches/patch-Lib_test_test__urlparse.py
+++ b/lang/python27/patches/patch-Lib_test_test__urlparse.py
@@ -1,9 +1,13 @@
-$NetBSD: patch-Lib_test_test__urlparse.py,v 1.1 2021/10/10 03:00:59 gutteridge Exp $
+$NetBSD: patch-Lib_test_test__urlparse.py,v 1.1.4.1 2022/03/03 19:33:58 bsiegert Exp $
 
 Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
 Via Fedora:
 https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336.patch
 
+Fix CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00377-CVE-2022-0391.patch
+
 --- Lib/test/test_urlparse.py.orig	2020-04-19 21:13:39.000000000 +0000
 +++ Lib/test/test_urlparse.py
 @@ -3,6 +3,12 @@ import sys
@@ -130,7 +134,63 @@ https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336
      def test_roundtrips(self):
          testcases = [
              ('file:///tmp/junk.txt',
-@@ -626,6 +700,132 @@ class UrlParseTestCase(unittest.TestCase
+@@ -544,6 +618,55 @@ class UrlParseTestCase(unittest.TestCase
+         self.assertEqual(p1.path, '863-1234')
+         self.assertEqual(p1.params, 'phone-context=+1-914-555')
+ 
++    def test_urlsplit_remove_unsafe_bytes(self):
++        # Remove ASCII tabs and newlines from input, for http common case scenario.
++        url = "h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++        p = urlparse.urlsplit(url)
++        self.assertEqual(p.scheme, "http")
++        self.assertEqual(p.netloc, "www.python.org")
++        self.assertEqual(p.path, "/javascript:alert('msg')/")
++        self.assertEqual(p.query, "query=something")
++        self.assertEqual(p.fragment, "fragment")
++        self.assertEqual(p.username, None)
++        self.assertEqual(p.password, None)
++        self.assertEqual(p.hostname, "www.python.org")
++        self.assertEqual(p.port, None)
++        self.assertEqual(p.geturl(), "http://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++        # Remove ASCII tabs and newlines from input as bytes, for http common case scenario.
++        url = b"h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++        p = urlparse.urlsplit(url)
++        self.assertEqual(p.scheme, b"http")
++        self.assertEqual(p.netloc, b"www.python.org")
++        self.assertEqual(p.path, b"/javascript:alert('msg')/")
++        self.assertEqual(p.query, b"query=something")
++        self.assertEqual(p.fragment, b"fragment")
++        self.assertEqual(p.username, None)
++        self.assertEqual(p.password, None)
++        self.assertEqual(p.hostname, b"www.python.org")
++        self.assertEqual(p.port, None)
++        self.assertEqual(p.geturl(), b"http://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++        # any scheme
++        url = "x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++        p = urlparse.urlsplit(url)
++        self.assertEqual(p.geturl(), "x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++        # Remove ASCII tabs and newlines from input as bytes, any scheme.
++        url = b"x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++        p = urlparse.urlsplit(url)
++        self.assertEqual(p.geturl(), b"x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++        # Unsafe bytes is not returned from urlparse cache.
++        # scheme is stored after parsing, sending an scheme with unsafe bytes *will not* return an unsafe scheme
++        url = "https://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++        scheme = "htt\nps"
++        for _ in range(2):
++            p = urlparse.urlsplit(url, scheme=scheme)
++            self.assertEqual(p.scheme, "https")
++            self.assertEqual(p.geturl(), "https://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++
+ 
+     def test_attributes_bad_port(self):
+         """Check handling of non-integer ports."""
+@@ -626,6 +749,132 @@ class UrlParseTestCase(unittest.TestCase
          self.assertEqual(urlparse.urlparse("http://www.python.org:80"),
                  ('http','www.python.org:80','','','',''))
  
diff --git a/lang/python27/patches/patch-Lib_urlparse.py b/lang/python27/patches/patch-Lib_urlparse.py
index 4c25e4d53eb..ffdce2e0cd2 100644
--- a/lang/python27/patches/patch-Lib_urlparse.py
+++ b/lang/python27/patches/patch-Lib_urlparse.py
@@ -1,9 +1,13 @@
-$NetBSD: patch-Lib_urlparse.py,v 1.2 2021/10/27 23:58:55 gutteridge Exp $
+$NetBSD: patch-Lib_urlparse.py,v 1.2.2.1 2022/03/03 19:33:58 bsiegert Exp $
 
 Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
 Via Fedora:
 https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336.patch
 
+Fix CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00377-CVE-2022-0391.patch
+
 --- Lib/urlparse.py.orig	2020-04-19 21:13:39.000000000 +0000
 +++ Lib/urlparse.py
 @@ -29,6 +29,7 @@ test_urlparse.py provides a good indicat
@@ -14,7 +18,37 @@ https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336
  
  __all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag",
             "urlsplit", "urlunsplit", "parse_qs", "parse_qsl"]
-@@ -382,7 +383,8 @@ def unquote(s):
+@@ -62,6 +63,9 @@ scheme_chars = ('abcdefghijklmnopqrstuvw
+                 '0123456789'
+                 '+-.')
+ 
++# Unsafe bytes to be removed per WHATWG spec
++_UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n']
++
+ MAX_CACHE_SIZE = 20
+ _parse_cache = {}
+ 
+@@ -184,12 +188,19 @@ def _checknetloc(netloc):
+                              "under NFKC normalization"
+                              % netloc)
+ 
++def _remove_unsafe_bytes_from_url(url):
++    for b in _UNSAFE_URL_BYTES_TO_REMOVE:
++        url = url.replace(b, "")
++    return url
++
+ def urlsplit(url, scheme='', allow_fragments=True):
+     """Parse a URL into 5 components:
+     <scheme>://<netloc>/<path>?<query>#<fragment>
+     Return a 5-tuple: (scheme, netloc, path, query, fragment).
+     Note that we don't break the components up in smaller bits
+     (e.g. netloc is a single string) and we don't expand % escapes."""
++    url = _remove_unsafe_bytes_from_url(url)
++    scheme = _remove_unsafe_bytes_from_url(scheme)
+     allow_fragments = bool(allow_fragments)
+     key = url, scheme, allow_fragments, type(url), type(scheme)
+     cached = _parse_cache.get(key, None)
+@@ -382,7 +393,8 @@ def unquote(s):
              append(item)
      return ''.join(res)
  
@@ -24,7 +58,7 @@ https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336
      """Parse a query given as a string argument.
  
          Arguments:
-@@ -405,14 +407,23 @@ def parse_qs(qs, keep_blank_values=0, st
+@@ -405,14 +417,23 @@ def parse_qs(qs, keep_blank_values=0, st
      """
      dict = {}
      for name, value in parse_qsl(qs, keep_blank_values, strict_parsing,
@@ -50,7 +84,7 @@ https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336
      """Parse a query given as a string argument.
  
      Arguments:
-@@ -434,15 +445,72 @@ def parse_qsl(qs, keep_blank_values=0, s
+@@ -434,15 +455,72 @@ def parse_qsl(qs, keep_blank_values=0, s
  
      Returns a list, as G-d intended.
      """