diff options
author | Qi.Chen@windriver.com <Qi.Chen@windriver.com> | 2018-10-17 10:32:11 +0800 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2018-10-16 21:23:47 -0700 |
commit | 107eefed37e4af39ec1565c57d03c7f9adea69af (patch) | |
tree | 0c2ccb4b9fddb1b3f4894f5b931e53bf3d16f4e4 /meta-python | |
parent | df9f15caaaa9280aa7c495cf50d2cd7e242cd8b1 (diff) | |
download | meta-openembedded-107eefed37e4af39ec1565c57d03c7f9adea69af.tar.gz |
python-requests: fix CVE-2018-18074
Backport two patches to fix the following CVE.
CVE: CVE-2018-18074
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-python')
3 files changed, 186 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python-requests.inc b/meta-python/recipes-devtools/python/python-requests.inc index efc652d94..301c2f82f 100644 --- a/meta-python/recipes-devtools/python/python-requests.inc +++ b/meta-python/recipes-devtools/python/python-requests.inc | |||
@@ -3,6 +3,12 @@ HOMEPAGE = "http://python-requests.org" | |||
3 | LICENSE = "Apache-2.0" | 3 | LICENSE = "Apache-2.0" |
4 | LIC_FILES_CHKSUM = "file://LICENSE;md5=bfbeafb85a2cee261510d65d5ec19156" | 4 | LIC_FILES_CHKSUM = "file://LICENSE;md5=bfbeafb85a2cee261510d65d5ec19156" |
5 | 5 | ||
6 | FILESEXTRAPATHS_prepend := "${THISDIR}/python-requests:" | ||
7 | |||
8 | SRC_URI += "file://0001-Strip-Authorization-header-whenever-root-URL-changes.patch \ | ||
9 | file://0002-Rework-authorization-stripping-logic-as-discussed.patch \ | ||
10 | " | ||
11 | |||
6 | SRC_URI[md5sum] = "6c1a31afec9d614e2e71a91ee6ca2878" | 12 | SRC_URI[md5sum] = "6c1a31afec9d614e2e71a91ee6ca2878" |
7 | SRC_URI[sha256sum] = "ec22d826a36ed72a7358ff3fe56cbd4ba69dd7a6718ffd450ff0e9df7a47ce6a" | 13 | SRC_URI[sha256sum] = "ec22d826a36ed72a7358ff3fe56cbd4ba69dd7a6718ffd450ff0e9df7a47ce6a" |
8 | 14 | ||
diff --git a/meta-python/recipes-devtools/python/python-requests/0001-Strip-Authorization-header-whenever-root-URL-changes.patch b/meta-python/recipes-devtools/python/python-requests/0001-Strip-Authorization-header-whenever-root-URL-changes.patch new file mode 100644 index 000000000..80ef5ffb1 --- /dev/null +++ b/meta-python/recipes-devtools/python/python-requests/0001-Strip-Authorization-header-whenever-root-URL-changes.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From fb0d391138df48e93c44a2087ea796cca5e229c0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Bruce Merry <bmerry@ska.ac.za> | ||
3 | Date: Thu, 28 Jun 2018 16:38:42 +0200 | ||
4 | Subject: [PATCH 1/2] Strip Authorization header whenever root URL changes | ||
5 | |||
6 | Previously the header was stripped only if the hostname changed, but in | ||
7 | an https -> http redirect that can leak the credentials on the wire | ||
8 | (#4716). Based on with RFC 7235 section 2.2, the header is now stripped | ||
9 | if the "canonical root URL" (scheme+authority) has changed, by checking | ||
10 | scheme, hostname and port. | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Fix CVE-2018-18074 | ||
15 | |||
16 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
17 | --- | ||
18 | requests/sessions.py | 4 +++- | ||
19 | tests/test_requests.py | 12 +++++++++++- | ||
20 | 2 files changed, 14 insertions(+), 2 deletions(-) | ||
21 | |||
22 | diff --git a/requests/sessions.py b/requests/sessions.py | ||
23 | index ba13526..2969d83 100644 | ||
24 | --- a/requests/sessions.py | ||
25 | +++ b/requests/sessions.py | ||
26 | @@ -242,7 +242,9 @@ class SessionRedirectMixin(object): | ||
27 | original_parsed = urlparse(response.request.url) | ||
28 | redirect_parsed = urlparse(url) | ||
29 | |||
30 | - if (original_parsed.hostname != redirect_parsed.hostname): | ||
31 | + if (original_parsed.hostname != redirect_parsed.hostname | ||
32 | + or original_parsed.port != redirect_parsed.port | ||
33 | + or original_parsed.scheme != redirect_parsed.scheme): | ||
34 | del headers['Authorization'] | ||
35 | |||
36 | # .netrc might have more auth for us on our new host. | ||
37 | diff --git a/tests/test_requests.py b/tests/test_requests.py | ||
38 | index fcddb1d..e0e801a 100644 | ||
39 | --- a/tests/test_requests.py | ||
40 | +++ b/tests/test_requests.py | ||
41 | @@ -1575,7 +1575,17 @@ class TestRequests: | ||
42 | auth=('user', 'pass'), | ||
43 | ) | ||
44 | assert r.history[0].request.headers['Authorization'] | ||
45 | - assert not r.request.headers.get('Authorization', '') | ||
46 | + assert 'Authorization' not in r.request.headers | ||
47 | + | ||
48 | + def test_auth_is_stripped_on_scheme_redirect(self, httpbin, httpbin_secure, httpbin_ca_bundle): | ||
49 | + r = requests.get( | ||
50 | + httpbin_secure('redirect-to'), | ||
51 | + params={'url': httpbin('get')}, | ||
52 | + auth=('user', 'pass'), | ||
53 | + verify=httpbin_ca_bundle | ||
54 | + ) | ||
55 | + assert r.history[0].request.headers['Authorization'] | ||
56 | + assert 'Authorization' not in r.request.headers | ||
57 | |||
58 | def test_auth_is_retained_for_redirect_on_host(self, httpbin): | ||
59 | r = requests.get(httpbin('redirect/1'), auth=('user', 'pass')) | ||
60 | -- | ||
61 | 2.7.4 | ||
62 | |||
diff --git a/meta-python/recipes-devtools/python/python-requests/0002-Rework-authorization-stripping-logic-as-discussed.patch b/meta-python/recipes-devtools/python/python-requests/0002-Rework-authorization-stripping-logic-as-discussed.patch new file mode 100644 index 000000000..ef069fb97 --- /dev/null +++ b/meta-python/recipes-devtools/python/python-requests/0002-Rework-authorization-stripping-logic-as-discussed.patch | |||
@@ -0,0 +1,118 @@ | |||
1 | From 698c2fa850bfc8b3bdb768e1c1cd6d57e643811d Mon Sep 17 00:00:00 2001 | ||
2 | From: Bruce Merry <bmerry@ska.ac.za> | ||
3 | Date: Tue, 14 Aug 2018 13:30:43 +0200 | ||
4 | Subject: [PATCH 2/2] Rework authorization stripping logic as discussed | ||
5 | |||
6 | The exception for http->https upgrade now requires the standard HTTP(S) | ||
7 | ports to be used, either implicitly (no port specified) or explicitly. | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | |||
11 | Follow-up fix for CVE-2018-18074 | ||
12 | |||
13 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
14 | --- | ||
15 | requests/sessions.py | 26 ++++++++++++++++++-------- | ||
16 | tests/test_requests.py | 33 ++++++++++++++++++++++----------- | ||
17 | 2 files changed, 40 insertions(+), 19 deletions(-) | ||
18 | |||
19 | diff --git a/requests/sessions.py b/requests/sessions.py | ||
20 | index 2969d83..c11a3a2 100644 | ||
21 | --- a/requests/sessions.py | ||
22 | +++ b/requests/sessions.py | ||
23 | @@ -115,6 +115,22 @@ class SessionRedirectMixin(object): | ||
24 | return to_native_string(location, 'utf8') | ||
25 | return None | ||
26 | |||
27 | + def should_strip_auth(self, old_url, new_url): | ||
28 | + """Decide whether Authorization header should be removed when redirecting""" | ||
29 | + old_parsed = urlparse(old_url) | ||
30 | + new_parsed = urlparse(new_url) | ||
31 | + if old_parsed.hostname != new_parsed.hostname: | ||
32 | + return True | ||
33 | + # Special case: allow http -> https redirect when using the standard | ||
34 | + # ports. This isn't specified by RFC 7235, but is kept to avoid | ||
35 | + # breaking backwards compatibility with older versions of requests | ||
36 | + # that allowed any redirects on the same host. | ||
37 | + if (old_parsed.scheme == 'http' and old_parsed.port in (80, None) | ||
38 | + and new_parsed.scheme == 'https' and new_parsed.port in (443, None)): | ||
39 | + return False | ||
40 | + # Standard case: root URI must match | ||
41 | + return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme | ||
42 | + | ||
43 | def resolve_redirects(self, resp, req, stream=False, timeout=None, | ||
44 | verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs): | ||
45 | """Receives a Response. Returns a generator of Responses or Requests.""" | ||
46 | @@ -236,16 +252,10 @@ class SessionRedirectMixin(object): | ||
47 | headers = prepared_request.headers | ||
48 | url = prepared_request.url | ||
49 | |||
50 | - if 'Authorization' in headers: | ||
51 | + if 'Authorization' in headers and self.should_strip_auth(response.request.url, url): | ||
52 | # If we get redirected to a new host, we should strip out any | ||
53 | # authentication headers. | ||
54 | - original_parsed = urlparse(response.request.url) | ||
55 | - redirect_parsed = urlparse(url) | ||
56 | - | ||
57 | - if (original_parsed.hostname != redirect_parsed.hostname | ||
58 | - or original_parsed.port != redirect_parsed.port | ||
59 | - or original_parsed.scheme != redirect_parsed.scheme): | ||
60 | - del headers['Authorization'] | ||
61 | + del headers['Authorization'] | ||
62 | |||
63 | # .netrc might have more auth for us on our new host. | ||
64 | new_auth = get_netrc_auth(url) if self.trust_env else None | ||
65 | diff --git a/tests/test_requests.py b/tests/test_requests.py | ||
66 | index e0e801a..148067b 100644 | ||
67 | --- a/tests/test_requests.py | ||
68 | +++ b/tests/test_requests.py | ||
69 | @@ -1567,17 +1567,7 @@ class TestRequests: | ||
70 | preq = req.prepare() | ||
71 | assert test_url == preq.url | ||
72 | |||
73 | - @pytest.mark.xfail(raises=ConnectionError) | ||
74 | - def test_auth_is_stripped_on_redirect_off_host(self, httpbin): | ||
75 | - r = requests.get( | ||
76 | - httpbin('redirect-to'), | ||
77 | - params={'url': 'http://www.google.co.uk'}, | ||
78 | - auth=('user', 'pass'), | ||
79 | - ) | ||
80 | - assert r.history[0].request.headers['Authorization'] | ||
81 | - assert 'Authorization' not in r.request.headers | ||
82 | - | ||
83 | - def test_auth_is_stripped_on_scheme_redirect(self, httpbin, httpbin_secure, httpbin_ca_bundle): | ||
84 | + def test_auth_is_stripped_on_http_downgrade(self, httpbin, httpbin_secure, httpbin_ca_bundle): | ||
85 | r = requests.get( | ||
86 | httpbin_secure('redirect-to'), | ||
87 | params={'url': httpbin('get')}, | ||
88 | @@ -1594,6 +1584,27 @@ class TestRequests: | ||
89 | |||
90 | assert h1 == h2 | ||
91 | |||
92 | + def test_should_strip_auth_host_change(self): | ||
93 | + s = requests.Session() | ||
94 | + assert s.should_strip_auth('http://example.com/foo', 'http://another.example.com/') | ||
95 | + | ||
96 | + def test_should_strip_auth_http_downgrade(self): | ||
97 | + s = requests.Session() | ||
98 | + assert s.should_strip_auth('https://example.com/foo', 'http://example.com/bar') | ||
99 | + | ||
100 | + def test_should_strip_auth_https_upgrade(self): | ||
101 | + s = requests.Session() | ||
102 | + assert not s.should_strip_auth('http://example.com/foo', 'https://example.com/bar') | ||
103 | + assert not s.should_strip_auth('http://example.com:80/foo', 'https://example.com/bar') | ||
104 | + assert not s.should_strip_auth('http://example.com/foo', 'https://example.com:443/bar') | ||
105 | + # Non-standard ports should trigger stripping | ||
106 | + assert s.should_strip_auth('http://example.com:8080/foo', 'https://example.com/bar') | ||
107 | + assert s.should_strip_auth('http://example.com/foo', 'https://example.com:8443/bar') | ||
108 | + | ||
109 | + def test_should_strip_auth_port_change(self): | ||
110 | + s = requests.Session() | ||
111 | + assert s.should_strip_auth('http://example.com:1234/foo', 'https://example.com:4321/bar') | ||
112 | + | ||
113 | def test_manual_redirect_with_partial_body_read(self, httpbin): | ||
114 | s = requests.Session() | ||
115 | r1 = s.get(httpbin('redirect/2'), allow_redirects=False, stream=True) | ||
116 | -- | ||
117 | 2.7.4 | ||
118 | |||