From 1af0c48131df43a2f40c41df540ea8b1886c402d Mon Sep 17 00:00:00 2001
From: Benjamin Eckel <bhelx@simst.im>
Date: Wed, 8 Nov 2017 18:40:15 -0600
Subject: [PATCH] Fix SSRF: do not use urljoin, quote uuids

---
 recurly/resource.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/recurly/resource.py b/recurly/resource.py
index ca7fb519..fe7ab8fe 100644
--- a/recurly/resource.py
+++ b/recurly/resource.py
@@ -12,7 +12,7 @@
 import recurly.errors
 from recurly.link_header import parse_link_value
 from six.moves import http_client
-from six.moves.urllib.parse import urlencode, urljoin, urlsplit
+from six.moves.urllib.parse import urlencode, urlsplit, quote
 
 
 class Money(object):
@@ -342,7 +342,8 @@ def get(cls, uuid):
         can be directly requested with this method.
 
         """
-        url = urljoin(recurly.base_uri(), cls.member_path % (uuid,))
+        uuid = quote(str(uuid))
+        url = recurly.base_uri() + (cls.member_path % (uuid,))
         resp, elem = cls.element_for_url(url)
         return cls.from_element(elem)
 
@@ -601,7 +602,7 @@ def all(cls, **kwargs):
         parameters.
 
         """
-        url = urljoin(recurly.base_uri(), cls.collection_path)
+        url = recurly.base_uri() + cls.collection_path
         if kwargs:
             url = '%s?%s' % (url, urlencode(kwargs))
         return Page.page_for_url(url)
@@ -623,7 +624,7 @@ def _update(self):
         return self.put(self._url)
 
     def _create(self):
-        url = urljoin(recurly.base_uri(), self.collection_path)
+        url = recurly.base_uri() + self.collection_path
         return self.post(url)
 
     def put(self, url):