From e7c5a43984f82ef9634cb0b2b8c4750b2fd431a0 Mon Sep 17 00:00:00 2001
From: "Miss Skeleton (bot)" <31488909+miss-islington@users.noreply.github.com>
Date: Tue, 20 Oct 2020 00:17:58 -0700
Subject: bpo-41471: Ignore invalid prefix lengths in system proxy settings on
 macOS (GH-22762) (GH-22774)

(cherry picked from commit 93a1ccabdede416425473329b8c718d507c55e29)

Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
---
 Lib/test/test_urllib2.py                                     | 12 ++++++++++++
 Lib/urllib/request.py                                        |  5 +++++
 .../next/macOS/2020-10-19-12-25-19.bpo-41471.gwA7un.rst      |  1 +
 3 files changed, 18 insertions(+)
 create mode 100644 Misc/NEWS.d/next/macOS/2020-10-19-12-25-19.bpo-41471.gwA7un.rst

diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
index 091b397..0132059 100644
--- a/Lib/test/test_urllib2.py
+++ b/Lib/test/test_urllib2.py
@@ -1444,6 +1444,18 @@ class HandlerTests(unittest.TestCase):
         bypass = {'exclude_simple': True, 'exceptions': []}
         self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass))
 
+        # Check that invalid prefix lengths are ignored
+        bypass = {
+            'exclude_simple': False,
+            'exceptions': [ '10.0.0.0/40', '172.19.10.0/24' ]
+        }
+        host = '172.19.10.5'
+        self.assertTrue(_proxy_bypass_macosx_sysconf(host, bypass),
+                        'expected bypass of %s to be True' % host)
+        host = '10.0.1.5'
+        self.assertFalse(_proxy_bypass_macosx_sysconf(host, bypass),
+                        'expected bypass of %s to be False' % host)
+
     def check_basic_auth(self, headers, realm):
         with self.subTest(realm=realm, headers=headers):
             opener = OpenerDirector()
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index e440738..afd6341 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -2604,6 +2604,11 @@ def _proxy_bypass_macosx_sysconf(host, proxy_settings):
                 mask = 8 * (m.group(1).count('.') + 1)
             else:
                 mask = int(mask[1:])
+
+            if mask < 0 or mask > 32:
+                # System libraries ignore invalid prefix lengths
+                continue
+
             mask = 32 - mask
 
             if (hostIP >> mask) == (base >> mask):
diff --git a/Misc/NEWS.d/next/macOS/2020-10-19-12-25-19.bpo-41471.gwA7un.rst b/Misc/NEWS.d/next/macOS/2020-10-19-12-25-19.bpo-41471.gwA7un.rst
new file mode 100644
index 0000000..db5dd00
--- /dev/null
+++ b/Misc/NEWS.d/next/macOS/2020-10-19-12-25-19.bpo-41471.gwA7un.rst
@@ -0,0 +1 @@
+Ignore invalid prefix lengths in system proxy excludes.
-- 
cgit v0.12