Fix 536 3.9 urlparse changes

[g-k]

Fixes #536

Currently:

• bleach just uses urlparse to extract a URI scheme/protocol (via urlsplit)

• when http is in allowed_schemes (the default), bleach treats unparseable or empty schemes as implicitly http and safe.

  • AFAIK this aligns with the web url parsing spec and tests treating relative URIs as having the document's base, origin, and scheme.

• CPython <3.9 urlparse treats all digits trailing the first colon in a URL as a port number and puts it in the parsed URL path

• CPython 3.9 urlparse treats everything up to the first colon in the URI as the scheme https://github.com/python/cpython/pull/16837/files#diff-b3712475a413ec972134c0260c8f1eb1deefb66184f740ef00c37b4487ef873eL448-R433

  • bleach relied on the special port number parsing for URIs without a scheme localhost:8000 and worked around it to handle custom schemes/protocols:

    bleach/bleach/sanitizer.py

    Lines 489 to 491 in f5971aa

    	# Handle protocols that urlparse doesn't recognize like "myprotocol"
    	if ":" in new_value and new_value.split(":")[0] in allowed_protocols:
    	return value

Considered a few options:

• ignore it: mark the failing tests as expected failures on 3.9. This gets tests passing, but introduces a breaking change for 3.9 users and doesn't fix the underlying issue.
• vendor an old urlparse version: either vendor 2.7.18 and make it compatible with PY3 or drop Python 3 support and vendor a urlparse version <3.9. This wouldn't introduce breaking changes, but we'd vendor more code
• make the URI sanitizer stricter: stop doing that. This is stricter and more secure, but a breaking change that deviants from the web spec and probably how users expect it to work
• enumerate bad schemes: check for schemes that can deliver malicious content (e.g. javascript:, file:, data:) and block them. Requires adding a blocklist, keeping it up to date, and knowing all potentially evil schemes, which isn't recommended
• match schemes that look like network locations: check if schemes look like valid hostnames or IPv4 or v6 addresses with an optional port (using bits of django's URL validator). Potentially breaking change and might confuse users if they expect allowed_schemes to behave the same as their stdlib urlparse.

This PR:

• implements the last option using the hostname, IP address, and port portions of Django's URL validator
• updates CI and tox to test against 3.9 and use it as the default for other targets
• updates the URI validation tests (details in the last commit message)

Open questions:

Is it safe to trust the Django URL validator for HTML contexts? I think so, or at least I'm not aware of any net locations that are also XSS vectors.

Is the Django code compatible? It's BSD 3 licensed in setup.cfg, which should be compatible with MPL-2 (but also I'm not a lawyer).

If it is compatible, how should we attribute it in bleach?

Note that we ended up vendoring the old urlparse instead see #565 (comment) for the final changes.

[willkg]

Why is the option "vendor all of urlparse" and not "implement a minimal get_schema that does what Bleach needs it to"? Is the latter option difficult for some reason I'm not seeing?

[willkg]

Oops--scratch what I said. I missed stuff in the code changes.

[g-k]

OK!

• moved the django bits to the _vendor namespace
• updated the vendoring scripts so we don't ship all of django
• switched to vendoring django 1.11 since it support 2.7+ (confirmed it uses the same regexes)

r? @willkg

[willkg]

@g-k Can you rebase this? Then I'll test it out.

[g-k]

Yeah I need to bump the version again.

[g-k]

OK rebased

[willkg]

This looks good! I had some minor issues, but I like the approach.

[willkg]

Hooray!

[g-k]

FWIW Freddy pointed out that Django forked urlsplit https://github.com/django/django/blob/main/django/utils/http.py#L287

[g-k]

I'll file an issue and see if anyone runs into this in the wild.

[g-k]

Finally got a chance to spend some time on this.

This PR now:

• vendors the python 3.6.14 urllib.parse, uses it on all python versions (3.9 is the only one using the updated behavior, but it's simpler to not have version specific behavior); so it drops custom URL parsing behavior and django regexes
• updates vendor install and verify scripts (including the changes from Fix 536 3.9 urlparse changes #565 (comment) and Fix 536 3.9 urlparse changes #565 (comment); I don't think the code the other comments were on)

We probably should switch to newer URL parsing code eventually, but this PR keeps the changes minimal to fix the Python 3.9 test failures and avoid breaking changes.

Functional tests (not covered by CI):

• run vendor_install.sh and make sure nothing changes
• run vendor_verify.sh and make sure it passes
• change parse.py then run vendor_verify.sh and make sure it fails
• change parse.py shasum file then run vendor_verify.sh and make sure it fails

r? @willkg when you get some free time

[willkg]

@g-k I need some time to re-load Bleach things into my noggin so as to really go through this. I think I can get to this next week.

[g-k]

@g-k I need some time to re-load Bleach things into my noggin so as to really go through this. I think I can get to this next week.

Thanks! I'll be away and won't get back to this until the end of the month anyway, so there's no rush.

I changed directions a few times on this, so the history is more involved and convoluted than it needs to be.

[willkg]

What a messy situation!

I think this is the right thing to do. It's straight-forward, easy to reason about, and similar to what other projects decided to do. If things come up later, this probably won't make changing our minds later harder. Nicely done!

[g-k]

Minor version bump since we're adding a new vendored dep.

[g-k]

Thanks @willkg! I appreciate your feedback on all the various iterations of the PR.