summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Tran <dantran@microsoft.com>2019-09-11 18:58:52 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-10-08 22:52:28 +0100
commit26ab554fd5223ea870819c21ec9619d09a2ae850 (patch)
treef856581efbcdf09312e55533e5f6076b1b2f1c5c
parent90e5385568621b2a1eeb4ce206fa2fac96fe3149 (diff)
downloadpoky-26ab554fd5223ea870819c21ec9619d09a2ae850.tar.gz
python3: Fix CVEs
Fixes CVE-2018-14647, CVE-2018-20406, CVE-2018-20852, CVE-2019-9636, CVE-2019-9740, and CVE-2019-9747. (From OE-Core rev: 5862716f22ca9f5745d3bca85c6ed0d8c35c437b) Signed-off-by: Dan Tran <dantran@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2018-14647.patch95
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2018-20406.patch217
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2018-20852.patch129
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2019-9636.patch154
-rw-r--r--meta/recipes-devtools/python/python3_3.5.6.bb4
5 files changed, 599 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2018-14647.patch b/meta/recipes-devtools/python/python3/CVE-2018-14647.patch
new file mode 100644
index 0000000000..c1f21f826c
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2018-14647.patch
@@ -0,0 +1,95 @@
1From 610b4b0dbaedd3099ab76acf678e9cc845d99a76 Mon Sep 17 00:00:00 2001
2From: stratakis <cstratak@redhat.com>
3Date: Mon, 25 Feb 2019 22:04:09 +0100
4Subject: [PATCH] [3.5] bpo-34623: Use XML_SetHashSalt in _elementtree (#9933)
5
6* bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146)
7
8The C accelerated _elementtree module now initializes hash randomization
9salt from _Py_HashSecret instead of libexpat's default CPRNG.
10
11Signed-off-by: Christian Heimes <christian@python.org>
12
13https://bugs.python.org/issue34623
14(cherry picked from commit cb5778f00ce48631c7140f33ba242496aaf7102b)
15
16Co-authored-by: Christian Heimes <christian@python.org>
17
18CVE: CVE-2018-14647
19Upstream-Status: Backport
20[https://github.com/python/cpython/commit/41b48e71ac8a71f56694b548f118bd20ce203410]
21
22Signed-off-by: Dan Tran <dantran@microsoft.com>
23---
24 Include/pyexpat.h | 4 +++-
25 .../next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst | 2 ++
26 Modules/_elementtree.c | 5 +++++
27 Modules/pyexpat.c | 5 +++++
28 4 files changed, 15 insertions(+), 1 deletion(-)
29 create mode 100644 Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst
30
31diff --git a/Include/pyexpat.h b/Include/pyexpat.h
32index 44259bf6d7..07020b5dc9 100644
33--- a/Include/pyexpat.h
34+++ b/Include/pyexpat.h
35@@ -3,7 +3,7 @@
36
37 /* note: you must import expat.h before importing this module! */
38
39-#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0"
40+#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1"
41 #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
42
43 struct PyExpat_CAPI
44@@ -48,6 +48,8 @@ struct PyExpat_CAPI
45 enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char *encoding);
46 int (*DefaultUnknownEncodingHandler)(
47 void *encodingHandlerData, const XML_Char *name, XML_Encoding *info);
48+ /* might be none for expat < 2.1.0 */
49+ int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
50 /* always add new stuff to the end! */
51 };
52
53diff --git a/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst
54new file mode 100644
55index 0000000000..cbaa4b7506
56--- /dev/null
57+++ b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst
58@@ -0,0 +1,2 @@
59+CVE-2018-14647: The C accelerated _elementtree module now initializes hash
60+randomization salt from _Py_HashSecret instead of libexpat's default CSPRNG.
61diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
62index 5dba9f70a9..90c6daf64a 100644
63--- a/Modules/_elementtree.c
64+++ b/Modules/_elementtree.c
65@@ -3282,6 +3282,11 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *html,
66 PyErr_NoMemory();
67 return -1;
68 }
69+ /* expat < 2.1.0 has no XML_SetHashSalt() */
70+ if (EXPAT(SetHashSalt) != NULL) {
71+ EXPAT(SetHashSalt)(self->parser,
72+ (unsigned long)_Py_HashSecret.expat.hashsalt);
73+ }
74
75 if (target) {
76 Py_INCREF(target);
77diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
78index adc9b6cde8..948ab1b703 100644
79--- a/Modules/pyexpat.c
80+++ b/Modules/pyexpat.c
81@@ -1882,6 +1882,11 @@ MODULE_INITFUNC(void)
82 capi.SetStartDoctypeDeclHandler = XML_SetStartDoctypeDeclHandler;
83 capi.SetEncoding = XML_SetEncoding;
84 capi.DefaultUnknownEncodingHandler = PyUnknownEncodingHandler;
85+#if XML_COMBINED_VERSION >= 20100
86+ capi.SetHashSalt = XML_SetHashSalt;
87+#else
88+ capi.SetHashSalt = NULL;
89+#endif
90
91 /* export using capsule */
92 capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
93--
942.22.0.vfs.1.1.57.gbaf16c8
95
diff --git a/meta/recipes-devtools/python/python3/CVE-2018-20406.patch b/meta/recipes-devtools/python/python3/CVE-2018-20406.patch
new file mode 100644
index 0000000000..b69e0c4d6b
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2018-20406.patch
@@ -0,0 +1,217 @@
1From 3c7fd2b2729e3ebcf7877e7a32b3bbabf907a38d Mon Sep 17 00:00:00 2001
2From: Victor Stinner <vstinner@redhat.com>
3Date: Tue, 26 Feb 2019 01:42:39 +0100
4Subject: [PATCH] closes bpo-34656: Avoid relying on signed overflow in _pickle
5 memos. (GH-9261) (#11869)
6
7(cherry picked from commit a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd)
8
9CVE: CVE-2018-20406
10Upstream-Status: Backport
11[https://github.com/python/cpython/commit/ef33dd6036aafbd3f06c1d56e2b1a81dae3da63c]
12
13Signed-off-by: Dan Tran <dantran@microsoft.com>
14---
15 Modules/_pickle.c | 63 ++++++++++++++++++++++++-----------------------
16 1 file changed, 32 insertions(+), 31 deletions(-)
17
18diff --git a/Modules/_pickle.c b/Modules/_pickle.c
19index 0f62b1c019..fcb9e87899 100644
20--- a/Modules/_pickle.c
21+++ b/Modules/_pickle.c
22@@ -527,9 +527,9 @@ typedef struct {
23 } PyMemoEntry;
24
25 typedef struct {
26- Py_ssize_t mt_mask;
27- Py_ssize_t mt_used;
28- Py_ssize_t mt_allocated;
29+ size_t mt_mask;
30+ size_t mt_used;
31+ size_t mt_allocated;
32 PyMemoEntry *mt_table;
33 } PyMemoTable;
34
35@@ -573,8 +573,8 @@ typedef struct UnpicklerObject {
36 /* The unpickler memo is just an array of PyObject *s. Using a dict
37 is unnecessary, since the keys are contiguous ints. */
38 PyObject **memo;
39- Py_ssize_t memo_size; /* Capacity of the memo array */
40- Py_ssize_t memo_len; /* Number of objects in the memo */
41+ size_t memo_size; /* Capacity of the memo array */
42+ size_t memo_len; /* Number of objects in the memo */
43
44 PyObject *pers_func; /* persistent_load() method, can be NULL. */
45
46@@ -658,7 +658,6 @@ PyMemoTable_New(void)
47 static PyMemoTable *
48 PyMemoTable_Copy(PyMemoTable *self)
49 {
50- Py_ssize_t i;
51 PyMemoTable *new = PyMemoTable_New();
52 if (new == NULL)
53 return NULL;
54@@ -675,7 +674,7 @@ PyMemoTable_Copy(PyMemoTable *self)
55 PyErr_NoMemory();
56 return NULL;
57 }
58- for (i = 0; i < self->mt_allocated; i++) {
59+ for (size_t i = 0; i < self->mt_allocated; i++) {
60 Py_XINCREF(self->mt_table[i].me_key);
61 }
62 memcpy(new->mt_table, self->mt_table,
63@@ -721,7 +720,7 @@ _PyMemoTable_Lookup(PyMemoTable *self, PyObject *key)
64 {
65 size_t i;
66 size_t perturb;
67- size_t mask = (size_t)self->mt_mask;
68+ size_t mask = self->mt_mask;
69 PyMemoEntry *table = self->mt_table;
70 PyMemoEntry *entry;
71 Py_hash_t hash = (Py_hash_t)key >> 3;
72@@ -743,22 +742,24 @@ _PyMemoTable_Lookup(PyMemoTable *self, PyObject *key)
73
74 /* Returns -1 on failure, 0 on success. */
75 static int
76-_PyMemoTable_ResizeTable(PyMemoTable *self, Py_ssize_t min_size)
77+_PyMemoTable_ResizeTable(PyMemoTable *self, size_t min_size)
78 {
79 PyMemoEntry *oldtable = NULL;
80 PyMemoEntry *oldentry, *newentry;
81- Py_ssize_t new_size = MT_MINSIZE;
82- Py_ssize_t to_process;
83+ size_t new_size = MT_MINSIZE;
84+ size_t to_process;
85
86 assert(min_size > 0);
87
88- /* Find the smallest valid table size >= min_size. */
89- while (new_size < min_size && new_size > 0)
90- new_size <<= 1;
91- if (new_size <= 0) {
92+ if (min_size > PY_SSIZE_T_MAX) {
93 PyErr_NoMemory();
94 return -1;
95 }
96+
97+ /* Find the smallest valid table size >= min_size. */
98+ while (new_size < min_size) {
99+ new_size <<= 1;
100+ }
101 /* new_size needs to be a power of two. */
102 assert((new_size & (new_size - 1)) == 0);
103
104@@ -808,6 +809,7 @@ static int
105 PyMemoTable_Set(PyMemoTable *self, PyObject *key, Py_ssize_t value)
106 {
107 PyMemoEntry *entry;
108+ size_t desired_size;
109
110 assert(key != NULL);
111
112@@ -831,10 +833,12 @@ PyMemoTable_Set(PyMemoTable *self, PyObject *key, Py_ssize_t value)
113 * Very large memo tables (over 50K items) use doubling instead.
114 * This may help applications with severe memory constraints.
115 */
116- if (!(self->mt_used * 3 >= (self->mt_mask + 1) * 2))
117+ if (SIZE_MAX / 3 >= self->mt_used && self->mt_used * 3 < self->mt_allocated * 2) {
118 return 0;
119- return _PyMemoTable_ResizeTable(self,
120- (self->mt_used > 50000 ? 2 : 4) * self->mt_used);
121+ }
122+ // self->mt_used is always < PY_SSIZE_T_MAX, so this can't overflow.
123+ desired_size = (self->mt_used > 50000 ? 2 : 4) * self->mt_used;
124+ return _PyMemoTable_ResizeTable(self, desired_size);
125 }
126
127 #undef MT_MINSIZE
128@@ -1273,9 +1277,9 @@ _Unpickler_Readline(UnpicklerObject *self, char **result)
129 /* Returns -1 (with an exception set) on failure, 0 on success. The memo array
130 will be modified in place. */
131 static int
132-_Unpickler_ResizeMemoList(UnpicklerObject *self, Py_ssize_t new_size)
133+_Unpickler_ResizeMemoList(UnpicklerObject *self, size_t new_size)
134 {
135- Py_ssize_t i;
136+ size_t i;
137
138 assert(new_size > self->memo_size);
139
140@@ -1292,9 +1296,9 @@ _Unpickler_ResizeMemoList(UnpicklerObject *self, Py_ssize_t new_size)
141
142 /* Returns NULL if idx is out of bounds. */
143 static PyObject *
144-_Unpickler_MemoGet(UnpicklerObject *self, Py_ssize_t idx)
145+_Unpickler_MemoGet(UnpicklerObject *self, size_t idx)
146 {
147- if (idx < 0 || idx >= self->memo_size)
148+ if (idx >= self->memo_size)
149 return NULL;
150
151 return self->memo[idx];
152@@ -1303,7 +1307,7 @@ _Unpickler_MemoGet(UnpicklerObject *self, Py_ssize_t idx)
153 /* Returns -1 (with an exception set) on failure, 0 on success.
154 This takes its own reference to `value`. */
155 static int
156-_Unpickler_MemoPut(UnpicklerObject *self, Py_ssize_t idx, PyObject *value)
157+_Unpickler_MemoPut(UnpicklerObject *self, size_t idx, PyObject *value)
158 {
159 PyObject *old_item;
160
161@@ -4194,14 +4198,13 @@ static PyObject *
162 _pickle_PicklerMemoProxy_copy_impl(PicklerMemoProxyObject *self)
163 /*[clinic end generated code: output=bb83a919d29225ef input=b73043485ac30b36]*/
164 {
165- Py_ssize_t i;
166 PyMemoTable *memo;
167 PyObject *new_memo = PyDict_New();
168 if (new_memo == NULL)
169 return NULL;
170
171 memo = self->pickler->memo;
172- for (i = 0; i < memo->mt_allocated; ++i) {
173+ for (size_t i = 0; i < memo->mt_allocated; ++i) {
174 PyMemoEntry entry = memo->mt_table[i];
175 if (entry.me_key != NULL) {
176 int status;
177@@ -6620,7 +6623,7 @@ static PyObject *
178 _pickle_UnpicklerMemoProxy_copy_impl(UnpicklerMemoProxyObject *self)
179 /*[clinic end generated code: output=e12af7e9bc1e4c77 input=97769247ce032c1d]*/
180 {
181- Py_ssize_t i;
182+ size_t i;
183 PyObject *new_memo = PyDict_New();
184 if (new_memo == NULL)
185 return NULL;
186@@ -6771,8 +6774,7 @@ static int
187 Unpickler_set_memo(UnpicklerObject *self, PyObject *obj)
188 {
189 PyObject **new_memo;
190- Py_ssize_t new_memo_size = 0;
191- Py_ssize_t i;
192+ size_t new_memo_size = 0;
193
194 if (obj == NULL) {
195 PyErr_SetString(PyExc_TypeError,
196@@ -6789,7 +6791,7 @@ Unpickler_set_memo(UnpicklerObject *self, PyObject *obj)
197 if (new_memo == NULL)
198 return -1;
199
200- for (i = 0; i < new_memo_size; i++) {
201+ for (size_t i = 0; i < new_memo_size; i++) {
202 Py_XINCREF(unpickler->memo[i]);
203 new_memo[i] = unpickler->memo[i];
204 }
205@@ -6837,8 +6839,7 @@ Unpickler_set_memo(UnpicklerObject *self, PyObject *obj)
206
207 error:
208 if (new_memo_size) {
209- i = new_memo_size;
210- while (--i >= 0) {
211+ for (size_t i = new_memo_size - 1; i != SIZE_MAX; i--) {
212 Py_XDECREF(new_memo[i]);
213 }
214 PyMem_FREE(new_memo);
215--
2162.22.0.vfs.1.1.57.gbaf16c8
217
diff --git a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch
new file mode 100644
index 0000000000..82a114f29d
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch
@@ -0,0 +1,129 @@
1From 31c16d62fc762ab87e66e7f47e36dbfcfc8b5224 Mon Sep 17 00:00:00 2001
2From: Xtreak <tir.karthi@gmail.com>
3Date: Sun, 17 Mar 2019 05:33:39 +0530
4Subject: [PATCH] [3.5] bpo-35121: prefix dot in domain for proper subdomain
5 validation (GH-10258) (#12281)
6
7Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan.
8(cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14)
9
10Co-authored-by: Xtreak <tir.karthi@gmail.com>
11
12CVE: CVE-2018-20852
13Upstream-Status: Backport
14[https://github.com/python/cpython/commit/4749f1b69000259e23b4cc6f63c542a9bdc62f1b]
15
16Signed-off-by: Dan Tran <dantran@microsoft.com>
17---
18 Lib/http/cookiejar.py | 13 ++++++--
19 Lib/test/test_http_cookiejar.py | 30 +++++++++++++++++++
20 .../2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | 4 +++
21 3 files changed, 45 insertions(+), 2 deletions(-)
22 create mode 100644 Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
23
24diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py
25index 6d4572af03..1cc9378ae4 100644
26--- a/Lib/http/cookiejar.py
27+++ b/Lib/http/cookiejar.py
28@@ -1148,6 +1148,11 @@ class DefaultCookiePolicy(CookiePolicy):
29 req_host, erhn = eff_request_host(request)
30 domain = cookie.domain
31
32+ if domain and not domain.startswith("."):
33+ dotdomain = "." + domain
34+ else:
35+ dotdomain = domain
36+
37 # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
38 if (cookie.version == 0 and
39 (self.strict_ns_domain & self.DomainStrictNonDomain) and
40@@ -1160,7 +1165,7 @@ class DefaultCookiePolicy(CookiePolicy):
41 _debug(" effective request-host name %s does not domain-match "
42 "RFC 2965 cookie domain %s", erhn, domain)
43 return False
44- if cookie.version == 0 and not ("."+erhn).endswith(domain):
45+ if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
46 _debug(" request-host %s does not match Netscape cookie domain "
47 "%s", req_host, domain)
48 return False
49@@ -1174,7 +1179,11 @@ class DefaultCookiePolicy(CookiePolicy):
50 req_host = "."+req_host
51 if not erhn.startswith("."):
52 erhn = "."+erhn
53- if not (req_host.endswith(domain) or erhn.endswith(domain)):
54+ if domain and not domain.startswith("."):
55+ dotdomain = "." + domain
56+ else:
57+ dotdomain = domain
58+ if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
59 #_debug(" request domain %s does not match cookie domain %s",
60 # req_host, domain)
61 return False
62diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py
63index 49c01ae489..e67e6ae780 100644
64--- a/Lib/test/test_http_cookiejar.py
65+++ b/Lib/test/test_http_cookiejar.py
66@@ -417,6 +417,7 @@ class CookieTests(unittest.TestCase):
67 ("http://foo.bar.com/", ".foo.bar.com", True),
68 ("http://foo.bar.com/", "foo.bar.com", True),
69 ("http://foo.bar.com/", ".bar.com", True),
70+ ("http://foo.bar.com/", "bar.com", True),
71 ("http://foo.bar.com/", "com", True),
72 ("http://foo.com/", "rhubarb.foo.com", False),
73 ("http://foo.com/", ".foo.com", True),
74@@ -427,6 +428,8 @@ class CookieTests(unittest.TestCase):
75 ("http://foo/", "foo", True),
76 ("http://foo/", "foo.local", True),
77 ("http://foo/", ".local", True),
78+ ("http://barfoo.com", ".foo.com", False),
79+ ("http://barfoo.com", "foo.com", False),
80 ]:
81 request = urllib.request.Request(url)
82 r = pol.domain_return_ok(domain, request)
83@@ -961,6 +964,33 @@ class CookieTests(unittest.TestCase):
84 c.add_cookie_header(req)
85 self.assertFalse(req.has_header("Cookie"))
86
87+ c.clear()
88+
89+ pol.set_blocked_domains([])
90+ req = urllib.request.Request("http://acme.com/")
91+ res = FakeResponse(headers, "http://acme.com/")
92+ cookies = c.make_cookies(res, req)
93+ c.extract_cookies(res, req)
94+ self.assertEqual(len(c), 1)
95+
96+ req = urllib.request.Request("http://acme.com/")
97+ c.add_cookie_header(req)
98+ self.assertTrue(req.has_header("Cookie"))
99+
100+ req = urllib.request.Request("http://badacme.com/")
101+ c.add_cookie_header(req)
102+ self.assertFalse(pol.return_ok(cookies[0], req))
103+ self.assertFalse(req.has_header("Cookie"))
104+
105+ p = pol.set_blocked_domains(["acme.com"])
106+ req = urllib.request.Request("http://acme.com/")
107+ c.add_cookie_header(req)
108+ self.assertFalse(req.has_header("Cookie"))
109+
110+ req = urllib.request.Request("http://badacme.com/")
111+ c.add_cookie_header(req)
112+ self.assertFalse(req.has_header("Cookie"))
113+
114 def test_secure(self):
115 for ns in True, False:
116 for whitespace in " ", "":
117diff --git a/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
118new file mode 100644
119index 0000000000..d2eb8f1f35
120--- /dev/null
121+++ b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
122@@ -0,0 +1,4 @@
123+Don't send cookies of domain A without Domain attribute to domain B
124+when domain A is a suffix match of domain B while using a cookiejar
125+with :class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by
126+Karthikeyan Singaravelan.
127--
1282.22.0.vfs.1.1.57.gbaf16c8
129
diff --git a/meta/recipes-devtools/python/python3/CVE-2019-9636.patch b/meta/recipes-devtools/python/python3/CVE-2019-9636.patch
new file mode 100644
index 0000000000..ce8eb666cf
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2019-9636.patch
@@ -0,0 +1,154 @@
1From b0305339567b64e07df87620e97e4cb99332aef6 Mon Sep 17 00:00:00 2001
2From: Steve Dower <steve.dower@microsoft.com>
3Date: Sun, 10 Mar 2019 21:59:24 -0700
4Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize
5 to separators (GH-12201) (#12223)
6
7CVE: CVE-2019-9636
8Upstream-Status: Backport
9[https://github.com/python/cpython/commit/c0d95113b070799679bcb9dc49d4960d82e8bb08]
10
11Signed-off-by: Dan Tran <dantran@microsoft.com>
12---
13 Doc/library/urllib.parse.rst | 18 +++++++++++++++
14 Lib/test/test_urlparse.py | 23 +++++++++++++++++++
15 Lib/urllib/parse.py | 17 ++++++++++++++
16 .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | 3 +++
17 4 files changed, 61 insertions(+)
18 create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
19
20diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
21index 6f722a8897..a4c6b6726e 100644
22--- a/Doc/library/urllib.parse.rst
23+++ b/Doc/library/urllib.parse.rst
24@@ -120,6 +120,11 @@ or on combining URL components into a URL string.
25 Unmatched square brackets in the :attr:`netloc` attribute will raise a
26 :exc:`ValueError`.
27
28+ Characters in the :attr:`netloc` attribute that decompose under NFKC
29+ normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
30+ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
31+ decomposed before parsing, no error will be raised.
32+
33 .. versionchanged:: 3.2
34 Added IPv6 URL parsing capabilities.
35
36@@ -128,6 +133,10 @@ or on combining URL components into a URL string.
37 false), in accordance with :rfc:`3986`. Previously, a whitelist of
38 schemes that support fragments existed.
39
40+ .. versionchanged:: 3.5.7
41+ Characters that affect netloc parsing under NFKC normalization will
42+ now raise :exc:`ValueError`.
43+
44
45 .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace')
46
47@@ -236,6 +245,15 @@ or on combining URL components into a URL string.
48 Unmatched square brackets in the :attr:`netloc` attribute will raise a
49 :exc:`ValueError`.
50
51+ Characters in the :attr:`netloc` attribute that decompose under NFKC
52+ normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
53+ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
54+ decomposed before parsing, no error will be raised.
55+
56+ .. versionchanged:: 3.5.7
57+ Characters that affect netloc parsing under NFKC normalization will
58+ now raise :exc:`ValueError`.
59+
60
61 .. function:: urlunsplit(parts)
62
63diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
64index e2cf1b7e0f..d0420b0e74 100644
65--- a/Lib/test/test_urlparse.py
66+++ b/Lib/test/test_urlparse.py
67@@ -1,3 +1,5 @@
68+import sys
69+import unicodedata
70 import unittest
71 import urllib.parse
72
73@@ -970,6 +972,27 @@ class UrlParseTestCase(unittest.TestCase):
74 expected.append(name)
75 self.assertCountEqual(urllib.parse.__all__, expected)
76
77+ def test_urlsplit_normalization(self):
78+ # Certain characters should never occur in the netloc,
79+ # including under normalization.
80+ # Ensure that ALL of them are detected and cause an error
81+ illegal_chars = '/:#?@'
82+ hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
83+ denorm_chars = [
84+ c for c in map(chr, range(128, sys.maxunicode))
85+ if (hex_chars & set(unicodedata.decomposition(c).split()))
86+ and c not in illegal_chars
87+ ]
88+ # Sanity check that we found at least one such character
89+ self.assertIn('\u2100', denorm_chars)
90+ self.assertIn('\uFF03', denorm_chars)
91+
92+ for scheme in ["http", "https", "ftp"]:
93+ for c in denorm_chars:
94+ url = "{}://netloc{}false.netloc/path".format(scheme, c)
95+ with self.subTest(url=url, char='{:04X}'.format(ord(c))):
96+ with self.assertRaises(ValueError):
97+ urllib.parse.urlsplit(url)
98
99 class Utility_Tests(unittest.TestCase):
100 """Testcase to test the various utility functions in the urllib."""
101diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
102index 62e8ddf04b..7ba2b445f5 100644
103--- a/Lib/urllib/parse.py
104+++ b/Lib/urllib/parse.py
105@@ -327,6 +327,21 @@ def _splitnetloc(url, start=0):
106 delim = min(delim, wdelim) # use earliest delim position
107 return url[start:delim], url[delim:] # return (domain, rest)
108
109+def _checknetloc(netloc):
110+ if not netloc or not any(ord(c) > 127 for c in netloc):
111+ return
112+ # looking for characters like \u2100 that expand to 'a/c'
113+ # IDNA uses NFKC equivalence, so normalize for this check
114+ import unicodedata
115+ netloc2 = unicodedata.normalize('NFKC', netloc)
116+ if netloc == netloc2:
117+ return
118+ _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
119+ for c in '/?#@:':
120+ if c in netloc2:
121+ raise ValueError("netloc '" + netloc2 + "' contains invalid " +
122+ "characters under NFKC normalization")
123+
124 def urlsplit(url, scheme='', allow_fragments=True):
125 """Parse a URL into 5 components:
126 <scheme>://<netloc>/<path>?<query>#<fragment>
127@@ -356,6 +371,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
128 url, fragment = url.split('#', 1)
129 if '?' in url:
130 url, query = url.split('?', 1)
131+ _checknetloc(netloc)
132 v = SplitResult(scheme, netloc, url, query, fragment)
133 _parse_cache[key] = v
134 return _coerce_result(v)
135@@ -379,6 +395,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
136 url, fragment = url.split('#', 1)
137 if '?' in url:
138 url, query = url.split('?', 1)
139+ _checknetloc(netloc)
140 v = SplitResult(scheme, netloc, url, query, fragment)
141 _parse_cache[key] = v
142 return _coerce_result(v)
143diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
144new file mode 100644
145index 0000000000..5546394157
146--- /dev/null
147+++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
148@@ -0,0 +1,3 @@
149+Changes urlsplit() to raise ValueError when the URL contains characters that
150+decompose under IDNA encoding (NFKC-normalization) into characters that
151+affect how the URL is parsed.
152--
1532.22.0.vfs.1.1.57.gbaf16c8
154
diff --git a/meta/recipes-devtools/python/python3_3.5.6.bb b/meta/recipes-devtools/python/python3_3.5.6.bb
index 7e74c55b80..b2f8a3d034 100644
--- a/meta/recipes-devtools/python/python3_3.5.6.bb
+++ b/meta/recipes-devtools/python/python3_3.5.6.bb
@@ -44,6 +44,10 @@ SRC_URI += "\
44 file://0005-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-2305.patch \ 44 file://0005-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-2305.patch \
45 file://run-ptest \ 45 file://run-ptest \
46 file://CVE-2019-9740.patch \ 46 file://CVE-2019-9740.patch \
47 file://CVE-2018-14647.patch \
48 file://CVE-2018-20406.patch \
49 file://CVE-2018-20852.patch \
50 file://CVE-2019-9636.patch \
47 " 51 "
48 52
49inherit multilib_header python3native update-alternatives qemu ptest 53inherit multilib_header python3native update-alternatives qemu ptest