summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-11-06 18:54:52 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-12-06 22:46:45 (GMT)
commitba4fbd376de757a216cc704c24b3894b2c55c8d5 (patch)
tree357fca20e3f614b370d99ae05bf0faa639d7bcb0
parent70799fb93166c7e04008554f5613d0e228cab458 (diff)
downloadpoky-ba4fbd376de757a216cc704c24b3894b2c55c8d5.tar.gz
python-2.7: Security fix CVE-2016-1000110
affects python-2.7 < 2.7.12 (From OE-Core rev: eda260094a793f96ee0b8a79d3266f64797ccc8d) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/python/python/CVE-2016-1000110.patch145
-rw-r--r--meta/recipes-devtools/python/python_2.7.9.bb1
2 files changed, 146 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/CVE-2016-1000110.patch b/meta/recipes-devtools/python/python/CVE-2016-1000110.patch
new file mode 100644
index 0000000..8fd6c45
--- /dev/null
+++ b/meta/recipes-devtools/python/python/CVE-2016-1000110.patch
@@ -0,0 +1,145 @@
1
2# HG changeset patch
3# User Senthil Kumaran <senthil@uthcode.com>
4# Date 1469882993 25200
5# Node ID ba915d561667fa0584ad89f8d5a844fd43803c0d
6# Parent c8c1ea94379a7706638f1571988576d504d7fc98
7Prevent HTTPoxy attack (CVE-2016-1000110)
8
9Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
10indicates that the script is in CGI mode.
11
12Issue reported and patch contributed by Rémi Rampin.
13
14Upstream-Status: Backport
15CVE: CVE-2016-1000110
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17
18Index: Python-2.7.9/Doc/howto/urllib2.rst
19===================================================================
20--- Python-2.7.9.orig/Doc/howto/urllib2.rst
21+++ Python-2.7.9/Doc/howto/urllib2.rst
22@@ -523,6 +523,11 @@ setting up a `Basic Authentication`_ han
23 through a proxy. However, this can be enabled by extending urllib2 as
24 shown in the recipe [#]_.
25
26+.. note::
27+
28+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
29+ the documentation on :func:`~urllib.getproxies`.
30+
31
32 Sockets and Layers
33 ==================
34Index: Python-2.7.9/Doc/library/urllib.rst
35===================================================================
36--- Python-2.7.9.orig/Doc/library/urllib.rst
37+++ Python-2.7.9/Doc/library/urllib.rst
38@@ -288,6 +288,16 @@ Utility functions
39 find it, looks for proxy information from Mac OSX System Configuration for
40 Mac OS X and Windows Systems Registry for Windows.
41
42+ .. note::
43+
44+ If the environment variable ``REQUEST_METHOD`` is set, which usually
45+ indicates your script is running in a CGI environment, the environment
46+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
47+ because that variable can be injected by a client using the "Proxy:"
48+ HTTP header. If you need to use an HTTP proxy in a CGI environment,
49+ either use ``ProxyHandler`` explicitly, or make sure the variable name
50+ is in lowercase (or at least the ``_proxy`` suffix).
51+
52 .. note::
53 urllib also exposes certain utility functions like splittype, splithost and
54 others parsing url into various components. But it is recommended to use
55Index: Python-2.7.9/Doc/library/urllib2.rst
56===================================================================
57--- Python-2.7.9.orig/Doc/library/urllib2.rst
58+++ Python-2.7.9/Doc/library/urllib2.rst
59@@ -224,6 +224,11 @@ The following classes are provided:
60
61 To disable autodetected proxy pass an empty dictionary.
62
63+ .. note::
64+
65+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
66+ see the documentation on :func:`~urllib.getproxies`.
67+
68
69 .. class:: HTTPPasswordMgr()
70
71Index: Python-2.7.9/Misc/ACKS
72===================================================================
73--- Python-2.7.9.orig/Misc/ACKS
74+++ Python-2.7.9/Misc/ACKS
75@@ -1090,6 +1090,7 @@ Jérôme Radix
76 Burton Radons
77 Jeff Ramnani
78 Brodie Rao
79+Rémi Rampin
80 Senko Rasic
81 Antti Rasinen
82 Nikolaus Rath
83Index: Python-2.7.9/Lib/urllib.py
84===================================================================
85--- Python-2.7.9.orig/Lib/urllib.py
86+++ Python-2.7.9/Lib/urllib.py
87@@ -1373,11 +1373,20 @@ def getproxies_environment():
88 [Fancy]URLopener constructor.
89
90 """
91+ # Get all variables
92 proxies = {}
93 for name, value in os.environ.items():
94 name = name.lower()
95 if value and name[-6:] == '_proxy':
96 proxies[name[:-6]] = value
97+
98+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
99+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
100+ # header from the client
101+ # If "proxy" is lowercase, it will still be used thanks to the next block
102+ if 'REQUEST_METHOD' in os.environ:
103+ proxies.pop('http', None)
104+
105 return proxies
106
107 def proxy_bypass_environment(host):
108Index: Python-2.7.9/Lib/test/test_urllib.py
109===================================================================
110--- Python-2.7.9.orig/Lib/test/test_urllib.py
111+++ Python-2.7.9/Lib/test/test_urllib.py
112@@ -161,6 +161,18 @@ class ProxyTests(unittest.TestCase):
113 self.env.set('NO_PROXY', 'localhost, anotherdomain.com, newdomain.com')
114 self.assertTrue(urllib.proxy_bypass_environment('anotherdomain.com'))
115
116+ def test_proxy_cgi_ignore(self):
117+ try:
118+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
119+ proxies = urllib.getproxies_environment()
120+ self.assertEqual('http://somewhere:3128', proxies['http'])
121+ self.env.set('REQUEST_METHOD', 'GET')
122+ proxies = urllib.getproxies_environment()
123+ self.assertNotIn('http', proxies)
124+ finally:
125+ self.env.unset('REQUEST_METHOD')
126+ self.env.unset('HTTP_PROXY')
127+
128
129 class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin):
130 """Test urlopen() opening a fake http connection."""
131Index: Python-2.7.9/Misc/NEWS
132===================================================================
133--- Python-2.7.9.orig/Misc/NEWS
134+++ Python-2.7.9/Misc/NEWS
135@@ -13,6 +13,10 @@ What's New in Python 2.7.9?
136 Library
137 -------
138
139+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
140+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
141+ that the script is in CGI mode.
142+
143 - Issue #22928: Disabled HTTP header injections in httplib.
144 Original patch by Demian Brecht.
145
diff --git a/meta/recipes-devtools/python/python_2.7.9.bb b/meta/recipes-devtools/python/python_2.7.9.bb
index 1f0169b..03f917d 100644
--- a/meta/recipes-devtools/python/python_2.7.9.bb
+++ b/meta/recipes-devtools/python/python_2.7.9.bb
@@ -29,6 +29,7 @@ SRC_URI += "\
29 file://CVE-2016-0772.patch \ 29 file://CVE-2016-0772.patch \
30 file://CVE-2016-5636.patch \ 30 file://CVE-2016-5636.patch \
31 file://CVE-2016-5699.patch \ 31 file://CVE-2016-5699.patch \
32 file://CVE-2016-1000110.patch \
32" 33"
33 34
34S = "${WORKDIR}/Python-${PV}" 35S = "${WORKDIR}/Python-${PV}"