python-urllib3/python3-urllib3: fix CVE-2020-7212

Optimize _encode_invalid_chars for a denial of service (CPU consumption) CVE: CVE-2020-7212 Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com> [Add CVE: CVE-2020-7212 to the patch itself] Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Haiqing Bai <Haiqing.Bai@windriver.com> 2021-02-04 11:27:43 +0530
committer: Armin Kuster <akuster808@gmail.com> 2021-02-04 22:43:54 -0800
commit: 55f71e0a18f3fcea14b4ee6ac526cf391632a7f6 (patch)
tree: 931aa5e03219bf28e07ea4b8cb94cd507b1acb77
parent: b1de50b2fcbe43cf10508cece48f229e18009cd0 (diff)
download: meta-openembedded-55f71e0a18f3fcea14b4ee6ac526cf391632a7f6.tar.gz
2 files changed, 57 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch
new file mode 100644
index 000000000..df234e442
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch
@@ -0,0 +1,55 @@
+From aff951b7a41eb5b958b32c49eaa00da02adc9c2d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Tue, 21 Jan 2020 22:32:56 +0400
+Subject: [PATCH] Optimize _encode_invalid_chars (#1787)
+Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
+Upstream-Status: Backport
+[from git://github.com/urllib3/urllib3.git commit:a2697e7c6b]
+CVE: CVE-2020-7212
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/urllib3/util/url.py | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
+index 9675f74..e353937 100644
+--- a/src/urllib3/util/url.py
+++ b/src/urllib3/util/url.py
+@@ -216,18 +216,15 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
+     component = six.ensure_text(component)
+    # Normalize existing percent-encoded bytes.
+     # Try to see if the component we're encoding is already percent-encoded
+     # so we can skip all '%' characters but still encode all others.
+-    percent_encodings = PERCENT_RE.findall(component)
+-
+-    # Normalize existing percent-encoded bytes.
+-    for enc in percent_encodings:
+-        if not enc.isupper():
+-            component = component.replace(enc, enc.upper())
+    component, percent_encodings = PERCENT_RE.subn(
+        lambda match: match.group(0).upper(), component
+    )
+     uri_bytes = component.encode("utf-8", "surrogatepass")
+-    is_percent_encoded = len(percent_encodings) == uri_bytes.count(b"%")
+-
+    is_percent_encoded = percent_encodings == uri_bytes.count(b"%")
+     encoded_component = bytearray()
+     for i in range(0, len(uri_bytes)):
+@@ -237,7 +234,7 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
+         if (is_percent_encoded and byte == b"%") or (
+             byte_ord < 128 and byte.decode() in allowed_chars
+         ):
+-            encoded_component.extend(byte)
+            encoded_component += byte
+             continue
+         encoded_component.extend(b"%" + (hex(byte_ord)[2:].encode().zfill(2).upper()))
+--
+2.23.0
diff --git a/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb b/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb
index 34c15b6c2..8d987a1f3 100644
--- a/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb
+++ b/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb
@@ -8,6 +8,8 @@ SRC_URI[sha256sum] = "f3c5fd51747d450d4dcf6f923c81f78f811aab8205fda64b0aba34a4e4
 inherit pypi setuptools3
+SRC_URI += "file://CVE-2020-7212.patch"
 RDEPENDS_${PN} += "\
    ${PYTHON_PN}-certifi \
    ${PYTHON_PN}-cryptography \
author	Haiqing Bai <Haiqing.Bai@windriver.com>	2021-02-04 11:27:43 +0530
committer	Armin Kuster <akuster808@gmail.com>	2021-02-04 22:43:54 -0800
commit	55f71e0a18f3fcea14b4ee6ac526cf391632a7f6 (patch)
tree	931aa5e03219bf28e07ea4b8cb94cd507b1acb77
parent	b1de50b2fcbe43cf10508cece48f229e18009cd0 (diff)
download	meta-openembedded-55f71e0a18f3fcea14b4ee6ac526cf391632a7f6.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch new file mode 100644 index 000000000..df234e442 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch
@@ -0,0 +1,55 @@
		1	From aff951b7a41eb5b958b32c49eaa00da02adc9c2d Mon Sep 17 00:00:00 2001
		2	From: Quentin Pradet <quentin.pradet@gmail.com>
		3	Date: Tue, 21 Jan 2020 22:32:56 +0400
		4	Subject: [PATCH] Optimize _encode_invalid_chars (#1787)
		5
		6	Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
		7
		8	Upstream-Status: Backport
		9	[from git://github.com/urllib3/urllib3.git commit:a2697e7c6b]
		10	CVE: CVE-2020-7212
		11	Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
		12	---
		13	src/urllib3/util/url.py \| 15 ++++++---------
		14	1 file changed, 6 insertions(+), 9 deletions(-)
		15
		16	diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
		17	index 9675f74..e353937 100644
		18	--- a/src/urllib3/util/url.py
		19	+++ b/src/urllib3/util/url.py
		20	@@ -216,18 +216,15 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
		21
		22	component = six.ensure_text(component)
		23
		24	+ # Normalize existing percent-encoded bytes.
		25	# Try to see if the component we're encoding is already percent-encoded
		26	# so we can skip all '%' characters but still encode all others.
		27	- percent_encodings = PERCENT_RE.findall(component)
		28	-
		29	- # Normalize existing percent-encoded bytes.
		30	- for enc in percent_encodings:
		31	- if not enc.isupper():
		32	- component = component.replace(enc, enc.upper())
		33	+ component, percent_encodings = PERCENT_RE.subn(
		34	+ lambda match: match.group(0).upper(), component
		35	+ )
		36
		37	uri_bytes = component.encode("utf-8", "surrogatepass")
		38	- is_percent_encoded = len(percent_encodings) == uri_bytes.count(b"%")
		39	-
		40	+ is_percent_encoded = percent_encodings == uri_bytes.count(b"%")
		41	encoded_component = bytearray()
		42
		43	for i in range(0, len(uri_bytes)):
		44	@@ -237,7 +234,7 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
		45	if (is_percent_encoded and byte == b"%") or (
		46	byte_ord < 128 and byte.decode() in allowed_chars
		47	):
		48	- encoded_component.extend(byte)
		49	+ encoded_component += byte
		50	continue
		51	encoded_component.extend(b"%" + (hex(byte_ord)[2:].encode().zfill(2).upper()))
		52
		53	--
		54	2.23.0
		55


diff --git a/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb b/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb index 34c15b6c2..8d987a1f3 100644 --- a/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb +++ b/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb
@@ -8,6 +8,8 @@ SRC_URI[sha256sum] = "f3c5fd51747d450d4dcf6f923c81f78f811aab8205fda64b0aba34a4e4
8		8
9	inherit pypi setuptools3	9	inherit pypi setuptools3
10		10
		11	SRC_URI += "file://CVE-2020-7212.patch"
		12
11	RDEPENDS_${PN} += "\	13	RDEPENDS_${PN} += "\
12	${PYTHON_PN}-certifi \	14	${PYTHON_PN}-certifi \
13	${PYTHON_PN}-cryptography \	15	${PYTHON_PN}-cryptography \