python: update to 3.7.3

License-update: copyright years (From OE-Core rev: 845b9a4ed2b83d716688a7b0d8bf13f37e79a025) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [ Backported patches removed. ] Signed-off-by: Adrian Bunk <bunk@stusta.de> [Bug fix only update] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Alexander Kanavin <alex.kanavin@gmail.com> 2019-10-01 22:58:16 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-10-08 22:51:35 +0100
commit: d1a785686f30838d6ff2702a557d996f6cecfbc0 (patch)
tree: da465a60f6bb8eeac9db9d38f556d9b5cce3d76a
parent: b58c50811b5151fb7f9980cb99c32df4eebd0b88 (diff)
download: poky-d1a785686f30838d6ff2702a557d996f6cecfbc0.tar.gz
5 files changed, 5 insertions, 285 deletions
diff --git a/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch b/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch
index 8083345a4e..1741f5753b 100644
--- a/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch
+++ b/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch
@@ -1,4 +1,4 @@
-From 4865615a2bc2b78c739e4c33f536712c7f9af061 Mon Sep 17 00:00:00 2001
+From 17796e353acf08acd604610f34840a4a9d2f4b54 Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Thu, 31 Jan 2019 16:46:30 +0100
 Subject: [PATCH] distutils/sysconfig: append
diff --git a/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch b/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch
index dcc0932c7f..35213171bd 100644
--- a/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch
+++ b/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch
@@ -1,4 +1,4 @@
-From 1397979ee445ff6826aa5469511e003539f77bb2 Mon Sep 17 00:00:00 2001
+From 12900d498bb77bcc990868a80eaf0ab257b88fff Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Tue, 14 May 2013 15:00:26 -0700
 Subject: [PATCH] python3: Add target and native recipes
diff --git a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch
deleted file mode 100644
index ff671d3fab..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From e5123d81ffb3be35a1b2767d6ced1a097aaf77be Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Sat, 9 Mar 2019 18:58:25 -0800
-Subject: [PATCH] bpo-35121: prefix dot in domain for proper subdomain
- validation (GH-10258) (GH-12261)
-Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy.  Patch by Karthikeyan Singaravelan.
-(cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14)
-Co-authored-by: Xtreak <tir.karthi@gmail.com>
-Upstream-Status: Backport
-CVE: CVE-2018-20852
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> 
---
- Lib/http/cookiejar.py                         | 13 ++++++--
- Lib/test/test_http_cookiejar.py               | 30 +++++++++++++++++++
- .../2018-10-31-15-39-17.bpo-35121.EgHv9k.rst  |  4 +++
- 3 files changed, 45 insertions(+), 2 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
-diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py
-index e0f1032b2816..00cb1250a07e 100644
--- a/Lib/http/cookiejar.py
-+++ b/Lib/http/cookiejar.py
-@@ -1145,6 +1145,11 @@ def return_ok_domain(self, cookie, request):
-         req_host, erhn = eff_request_host(request)
-         domain = cookie.domain
- 
-+        if domain and not domain.startswith("."):
-+            dotdomain = "." + domain
-+        else:
-+            dotdomain = domain
-+
-         # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
-         if (cookie.version == 0 and
-             (self.strict_ns_domain & self.DomainStrictNonDomain) and
-@@ -1157,7 +1162,7 @@ def return_ok_domain(self, cookie, request):
-             _debug("   effective request-host name %s does not domain-match "
-                    "RFC 2965 cookie domain %s", erhn, domain)
-             return False
-        if cookie.version == 0 and not ("."+erhn).endswith(domain):
-+        if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
-             _debug("   request-host %s does not match Netscape cookie domain "
-                    "%s", req_host, domain)
-             return False
-@@ -1171,7 +1176,11 @@ def domain_return_ok(self, domain, request):
-             req_host = "."+req_host
-         if not erhn.startswith("."):
-             erhn = "."+erhn
-        if not (req_host.endswith(domain) or erhn.endswith(domain)):
-+        if domain and not domain.startswith("."):
-+            dotdomain = "." + domain
-+        else:
-+            dotdomain = domain
-+        if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
-             #_debug("   request domain %s does not match cookie domain %s",
-             #       req_host, domain)
-             return False
-diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py
-index abc625d672a7..6e1b30881310 100644
--- a/Lib/test/test_http_cookiejar.py
-+++ b/Lib/test/test_http_cookiejar.py
-@@ -415,6 +415,7 @@ def test_domain_return_ok(self):
-             ("http://foo.bar.com/", ".foo.bar.com", True),
-             ("http://foo.bar.com/", "foo.bar.com", True),
-             ("http://foo.bar.com/", ".bar.com", True),
-+            ("http://foo.bar.com/", "bar.com", True),
-             ("http://foo.bar.com/", "com", True),
-             ("http://foo.com/", "rhubarb.foo.com", False),
-             ("http://foo.com/", ".foo.com", True),
-@@ -425,6 +426,8 @@ def test_domain_return_ok(self):
-             ("http://foo/", "foo", True),
-             ("http://foo/", "foo.local", True),
-             ("http://foo/", ".local", True),
-+            ("http://barfoo.com", ".foo.com", False),
-+            ("http://barfoo.com", "foo.com", False),
-             ]:
-             request = urllib.request.Request(url)
-             r = pol.domain_return_ok(domain, request)
-@@ -959,6 +962,33 @@ def test_domain_block(self):
-         c.add_cookie_header(req)
-         self.assertFalse(req.has_header("Cookie"))
- 
-+        c.clear()
-+
-+        pol.set_blocked_domains([])
-+        req = urllib.request.Request("http://acme.com/")
-+        res = FakeResponse(headers, "http://acme.com/")
-+        cookies = c.make_cookies(res, req)
-+        c.extract_cookies(res, req)
-+        self.assertEqual(len(c), 1)
-+
-+        req = urllib.request.Request("http://acme.com/")
-+        c.add_cookie_header(req)
-+        self.assertTrue(req.has_header("Cookie"))
-+
-+        req = urllib.request.Request("http://badacme.com/")
-+        c.add_cookie_header(req)
-+        self.assertFalse(pol.return_ok(cookies[0], req))
-+        self.assertFalse(req.has_header("Cookie"))
-+
-+        p = pol.set_blocked_domains(["acme.com"])
-+        req = urllib.request.Request("http://acme.com/")
-+        c.add_cookie_header(req)
-+        self.assertFalse(req.has_header("Cookie"))
-+
-+        req = urllib.request.Request("http://badacme.com/")
-+        c.add_cookie_header(req)
-+        self.assertFalse(req.has_header("Cookie"))
-+
-     def test_secure(self):
-         for ns in True, False:
-             for whitespace in " ", "":
-diff --git a/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
-new file mode 100644
-index 000000000000..d2eb8f1f352c
--- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
-@@ -0,0 +1,4 @@
-+Don't send cookies of domain A without Domain attribute to domain B
-+when domain A is a suffix match of domain B while using a cookiejar
-+with :class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by
-+Karthikeyan Singaravelan.
diff --git a/meta/recipes-devtools/python/python3/CVE-2019-9636.patch b/meta/recipes-devtools/python/python3/CVE-2019-9636.patch
deleted file mode 100644
index 72128f0b0d..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2019-9636.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-From daad2c482c91de32d8305abbccc76a5de8b3a8be Mon Sep 17 00:00:00 2001
-From: Steve Dower <steve.dower@microsoft.com>
-Date: Thu, 7 Mar 2019 09:08:18 -0800
-Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize
- to separators (GH-12201)
-Upstream-Status: Backport
-CVE: CVE-2019-9636
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
- Doc/library/urllib.parse.rst                  | 18 +++++++++++++++
- Lib/test/test_urlparse.py                     | 23 +++++++++++++++++++
- Lib/urllib/parse.py                           | 17 ++++++++++++++
- .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst  |  3 +++
- 4 files changed, 61 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
-diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
-index 0c8f0f607314..b565e1edd321 100644
--- a/Doc/library/urllib.parse.rst
-+++ b/Doc/library/urllib.parse.rst
-@@ -124,6 +124,11 @@ or on combining URL components into a URL string.
-    Unmatched square brackets in the :attr:`netloc` attribute will raise a
-    :exc:`ValueError`.
- 
-+   Characters in the :attr:`netloc` attribute that decompose under NFKC
-+   normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
-+   ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
-+   decomposed before parsing, no error will be raised.
-+
-    .. versionchanged:: 3.2
-       Added IPv6 URL parsing capabilities.
- 
-@@ -136,6 +141,10 @@ or on combining URL components into a URL string.
-       Out-of-range port numbers now raise :exc:`ValueError`, instead of
-       returning :const:`None`.
- 
-+   .. versionchanged:: 3.7.3
-+      Characters that affect netloc parsing under NFKC normalization will
-+      now raise :exc:`ValueError`.
-+
- 
- .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)
- 
-@@ -257,10 +266,19 @@ or on combining URL components into a URL string.
-    Unmatched square brackets in the :attr:`netloc` attribute will raise a
-    :exc:`ValueError`.
- 
-+   Characters in the :attr:`netloc` attribute that decompose under NFKC
-+   normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
-+   ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
-+   decomposed before parsing, no error will be raised.
-+
-    .. versionchanged:: 3.6
-       Out-of-range port numbers now raise :exc:`ValueError`, instead of
-       returning :const:`None`.
- 
-+   .. versionchanged:: 3.7.3
-+      Characters that affect netloc parsing under NFKC normalization will
-+      now raise :exc:`ValueError`.
-+
- 
- .. function:: urlunsplit(parts)
- 
-diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
-index be50b47603aa..e6638aee2244 100644
--- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -1,3 +1,5 @@
-+import sys
-+import unicodedata
- import unittest
- import urllib.parse
- 
-@@ -984,6 +986,27 @@ def test_all(self):
-                 expected.append(name)
-         self.assertCountEqual(urllib.parse.__all__, expected)
- 
-+    def test_urlsplit_normalization(self):
-+        # Certain characters should never occur in the netloc,
-+        # including under normalization.
-+        # Ensure that ALL of them are detected and cause an error
-+        illegal_chars = '/:#?@'
-+        hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
-+        denorm_chars = [
-+            c for c in map(chr, range(128, sys.maxunicode))
-+            if (hex_chars & set(unicodedata.decomposition(c).split()))
-+            and c not in illegal_chars
-+        ]
-+        # Sanity check that we found at least one such character
-+        self.assertIn('\u2100', denorm_chars)
-+        self.assertIn('\uFF03', denorm_chars)
-+
-+        for scheme in ["http", "https", "ftp"]:
-+            for c in denorm_chars:
-+                url = "{}://netloc{}false.netloc/path".format(scheme, c)
-+                with self.subTest(url=url, char='{:04X}'.format(ord(c))):
-+                    with self.assertRaises(ValueError):
-+                        urllib.parse.urlsplit(url)
- 
- class Utility_Tests(unittest.TestCase):
-     """Testcase to test the various utility functions in the urllib."""
-diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
-index f691ab74f87f..39c5d6a80824 100644
--- a/Lib/urllib/parse.py
-+++ b/Lib/urllib/parse.py
-@@ -391,6 +391,21 @@ def _splitnetloc(url, start=0):
-             delim = min(delim, wdelim)     # use earliest delim position
-     return url[start:delim], url[delim:]   # return (domain, rest)
- 
-+def _checknetloc(netloc):
-+    if not netloc or netloc.isascii():
-+        return
-+    # looking for characters like \u2100 that expand to 'a/c'
-+    # IDNA uses NFKC equivalence, so normalize for this check
-+    import unicodedata
-+    netloc2 = unicodedata.normalize('NFKC', netloc)
-+    if netloc == netloc2:
-+        return
-+    _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
-+    for c in '/?#@:':
-+        if c in netloc2:
-+            raise ValueError("netloc '" + netloc2 + "' contains invalid " +
-+                             "characters under NFKC normalization")
-+
- def urlsplit(url, scheme='', allow_fragments=True):
-     """Parse a URL into 5 components:
-     <scheme>://<netloc>/<path>?<query>#<fragment>
-@@ -419,6 +434,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
-                 url, fragment = url.split('#', 1)
-             if '?' in url:
-                 url, query = url.split('?', 1)
-+            _checknetloc(netloc)
-             v = SplitResult('http', netloc, url, query, fragment)
-             _parse_cache[key] = v
-             return _coerce_result(v)
-@@ -442,6 +458,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
-         url, fragment = url.split('#', 1)
-     if '?' in url:
-         url, query = url.split('?', 1)
-+    _checknetloc(netloc)
-     v = SplitResult(scheme, netloc, url, query, fragment)
-     _parse_cache[key] = v
-     return _coerce_result(v)
-diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
-new file mode 100644
-index 000000000000..5546394157f9
--- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
-@@ -0,0 +1,3 @@
-+Changes urlsplit() to raise ValueError when the URL contains characters that
-+decompose under IDNA encoding (NFKC-normalization) into characters that
-+affect how the URL is parsed.
diff --git a/meta/recipes-devtools/python/python3_3.7.2.bb b/meta/recipes-devtools/python/python3_3.7.3.bb
index 6da806bb93..1f1441f4ac 100644
--- a/meta/recipes-devtools/python/python3_3.7.2.bb
+++ b/meta/recipes-devtools/python/python3_3.7.3.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.python.org"
 LICENSE = "PSFv2"
 SECTION = "devel/python"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=f257cc14f81685691652a3d3e1b5d754"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=e466242989bd33c1bd2b6a526a742498"
 SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
           file://run-ptest \
@@ -22,8 +22,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
           file://0002-Don-t-do-runtime-test-to-get-float-byte-order.patch \
           file://0003-setup.py-pass-missing-libraries-to-Extension-for-mul.patch \
           file://0001-Lib-sysconfig.py-fix-another-place-where-lib-is-hard.patch \
-           file://CVE-2018-20852.patch \
-           file://CVE-2019-9636.patch \
           file://CVE-2019-9740.patch \
           "
@@ -35,8 +33,8 @@ SRC_URI_append_class-nativesdk = " \
           file://0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch \
           "
-SRC_URI[md5sum] = "df6ec36011808205beda239c72f947cb"
+SRC_URI[md5sum] = "93df27aec0cd18d6d42173e601ffbbfd"
-SRC_URI[sha256sum] = "d83fe8ce51b1bb48bbcf0550fd265b9a75cdfdfa93f916f9e700aef8444bf1bb"
+SRC_URI[sha256sum] = "da60b54064d4cfcd9c26576f6df2690e62085123826cff2e667e72a91952d318"
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
author	Alexander Kanavin <alex.kanavin@gmail.com>	2019-10-01 22:58:16 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-08 22:51:35 +0100
commit	d1a785686f30838d6ff2702a557d996f6cecfbc0 (patch)
tree	da465a60f6bb8eeac9db9d38f556d9b5cce3d76a
parent	b58c50811b5151fb7f9980cb99c32df4eebd0b88 (diff)
download	poky-d1a785686f30838d6ff2702a557d996f6cecfbc0.tar.gz

diff --git a/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch b/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch index 8083345a4e..1741f5753b 100644 --- a/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch +++ b/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch
@@ -1,4 +1,4 @@
1	From 4865615a2bc2b78c739e4c33f536712c7f9af061 Mon Sep 17 00:00:00 2001	1	From 17796e353acf08acd604610f34840a4a9d2f4b54 Mon Sep 17 00:00:00 2001
2	From: Alexander Kanavin <alex.kanavin@gmail.com>	2	From: Alexander Kanavin <alex.kanavin@gmail.com>
3	Date: Thu, 31 Jan 2019 16:46:30 +0100	3	Date: Thu, 31 Jan 2019 16:46:30 +0100
4	Subject: [PATCH] distutils/sysconfig: append	4	Subject: [PATCH] distutils/sysconfig: append


diff --git a/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch b/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch index dcc0932c7f..35213171bd 100644 --- a/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch +++ b/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch
@@ -1,4 +1,4 @@
1	From 1397979ee445ff6826aa5469511e003539f77bb2 Mon Sep 17 00:00:00 2001	1	From 12900d498bb77bcc990868a80eaf0ab257b88fff Mon Sep 17 00:00:00 2001
2	From: Khem Raj <raj.khem@gmail.com>	2	From: Khem Raj <raj.khem@gmail.com>
3	Date: Tue, 14 May 2013 15:00:26 -0700	3	Date: Tue, 14 May 2013 15:00:26 -0700
4	Subject: [PATCH] python3: Add target and native recipes	4	Subject: [PATCH] python3: Add target and native recipes


diff --git a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch deleted file mode 100644 index ff671d3fab..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch +++ /dev/null
@@ -1,124 +0,0 @@
1	From e5123d81ffb3be35a1b2767d6ced1a097aaf77be Mon Sep 17 00:00:00 2001
2	From: "Miss Islington (bot)"
3	<31488909+miss-islington@users.noreply.github.com>
4	Date: Sat, 9 Mar 2019 18:58:25 -0800
5	Subject: [PATCH] bpo-35121: prefix dot in domain for proper subdomain
6	validation (GH-10258) (GH-12261)
7
8	Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan.
9	(cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14)
10
11	Co-authored-by: Xtreak <tir.karthi@gmail.com>
12	Upstream-Status: Backport
13	CVE: CVE-2018-20852
14	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
15	---
16	Lib/http/cookiejar.py \| 13 ++++++--
17	Lib/test/test_http_cookiejar.py \| 30 +++++++++++++++++++
18	.../2018-10-31-15-39-17.bpo-35121.EgHv9k.rst \| 4 +++
19	3 files changed, 45 insertions(+), 2 deletions(-)
20	create mode 100644 Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
21
22	diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py
23	index e0f1032b2816..00cb1250a07e 100644
24	--- a/Lib/http/cookiejar.py
25	+++ b/Lib/http/cookiejar.py
26	@@ -1145,6 +1145,11 @@ def return_ok_domain(self, cookie, request):
27	req_host, erhn = eff_request_host(request)
28	domain = cookie.domain
29
30	+ if domain and not domain.startswith("."):
31	+ dotdomain = "." + domain
32	+ else:
33	+ dotdomain = domain
34	+
35	# strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
36	if (cookie.version == 0 and
37	(self.strict_ns_domain & self.DomainStrictNonDomain) and
38	@@ -1157,7 +1162,7 @@ def return_ok_domain(self, cookie, request):
39	_debug(" effective request-host name %s does not domain-match "
40	"RFC 2965 cookie domain %s", erhn, domain)
41	return False
42	- if cookie.version == 0 and not ("."+erhn).endswith(domain):
43	+ if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
44	_debug(" request-host %s does not match Netscape cookie domain "
45	"%s", req_host, domain)
46	return False
47	@@ -1171,7 +1176,11 @@ def domain_return_ok(self, domain, request):
48	req_host = "."+req_host
49	if not erhn.startswith("."):
50	erhn = "."+erhn
51	- if not (req_host.endswith(domain) or erhn.endswith(domain)):
52	+ if domain and not domain.startswith("."):
53	+ dotdomain = "." + domain
54	+ else:
55	+ dotdomain = domain
56	+ if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
57	#_debug(" request domain %s does not match cookie domain %s",
58	# req_host, domain)
59	return False
60	diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py
61	index abc625d672a7..6e1b30881310 100644
62	--- a/Lib/test/test_http_cookiejar.py
63	+++ b/Lib/test/test_http_cookiejar.py
64	@@ -415,6 +415,7 @@ def test_domain_return_ok(self):
65	("http://foo.bar.com/", ".foo.bar.com", True),
66	("http://foo.bar.com/", "foo.bar.com", True),
67	("http://foo.bar.com/", ".bar.com", True),
68	+ ("http://foo.bar.com/", "bar.com", True),
69	("http://foo.bar.com/", "com", True),
70	("http://foo.com/", "rhubarb.foo.com", False),
71	("http://foo.com/", ".foo.com", True),
72	@@ -425,6 +426,8 @@ def test_domain_return_ok(self):
73	("http://foo/", "foo", True),
74	("http://foo/", "foo.local", True),
75	("http://foo/", ".local", True),
76	+ ("http://barfoo.com", ".foo.com", False),
77	+ ("http://barfoo.com", "foo.com", False),
78	]:
79	request = urllib.request.Request(url)
80	r = pol.domain_return_ok(domain, request)
81	@@ -959,6 +962,33 @@ def test_domain_block(self):
82	c.add_cookie_header(req)
83	self.assertFalse(req.has_header("Cookie"))
84
85	+ c.clear()
86	+
87	+ pol.set_blocked_domains([])
88	+ req = urllib.request.Request("http://acme.com/")
89	+ res = FakeResponse(headers, "http://acme.com/")
90	+ cookies = c.make_cookies(res, req)
91	+ c.extract_cookies(res, req)
92	+ self.assertEqual(len(c), 1)
93	+
94	+ req = urllib.request.Request("http://acme.com/")
95	+ c.add_cookie_header(req)
96	+ self.assertTrue(req.has_header("Cookie"))
97	+
98	+ req = urllib.request.Request("http://badacme.com/")
99	+ c.add_cookie_header(req)
100	+ self.assertFalse(pol.return_ok(cookies[0], req))
101	+ self.assertFalse(req.has_header("Cookie"))
102	+
103	+ p = pol.set_blocked_domains(["acme.com"])
104	+ req = urllib.request.Request("http://acme.com/")
105	+ c.add_cookie_header(req)
106	+ self.assertFalse(req.has_header("Cookie"))
107	+
108	+ req = urllib.request.Request("http://badacme.com/")
109	+ c.add_cookie_header(req)
110	+ self.assertFalse(req.has_header("Cookie"))
111	+
112	def test_secure(self):
113	for ns in True, False:
114	for whitespace in " ", "":
115	diff --git a/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
116	new file mode 100644
117	index 000000000000..d2eb8f1f352c
118	--- /dev/null
119	+++ b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
120	@@ -0,0 +1,4 @@
121	+Don't send cookies of domain A without Domain attribute to domain B
122	+when domain A is a suffix match of domain B while using a cookiejar
123	+with :class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by
124	+Karthikeyan Singaravelan.


diff --git a/meta/recipes-devtools/python/python3/CVE-2019-9636.patch b/meta/recipes-devtools/python/python3/CVE-2019-9636.patch deleted file mode 100644 index 72128f0b0d..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2019-9636.patch +++ /dev/null
@@ -1,154 +0,0 @@
1	From daad2c482c91de32d8305abbccc76a5de8b3a8be Mon Sep 17 00:00:00 2001
2	From: Steve Dower <steve.dower@microsoft.com>
3	Date: Thu, 7 Mar 2019 09:08:18 -0800
4	Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize
5	to separators (GH-12201)
6
7	Upstream-Status: Backport
8	CVE: CVE-2019-9636
9	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
10
11	---
12	Doc/library/urllib.parse.rst \| 18 +++++++++++++++
13	Lib/test/test_urlparse.py \| 23 +++++++++++++++++++
14	Lib/urllib/parse.py \| 17 ++++++++++++++
15	.../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst \| 3 +++
16	4 files changed, 61 insertions(+)
17	create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
18
19	diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
20	index 0c8f0f607314..b565e1edd321 100644
21	--- a/Doc/library/urllib.parse.rst
22	+++ b/Doc/library/urllib.parse.rst
23	@@ -124,6 +124,11 @@ or on combining URL components into a URL string.
24	Unmatched square brackets in the :attr:`netloc` attribute will raise a
25	:exc:`ValueError`.
26
27	+ Characters in the :attr:`netloc` attribute that decompose under NFKC
28	+ normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
29	+ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
30	+ decomposed before parsing, no error will be raised.
31	+
32	.. versionchanged:: 3.2
33	Added IPv6 URL parsing capabilities.
34
35	@@ -136,6 +141,10 @@ or on combining URL components into a URL string.
36	Out-of-range port numbers now raise :exc:`ValueError`, instead of
37	returning :const:`None`.
38
39	+ .. versionchanged:: 3.7.3
40	+ Characters that affect netloc parsing under NFKC normalization will
41	+ now raise :exc:`ValueError`.
42	+
43
44	.. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)
45
46	@@ -257,10 +266,19 @@ or on combining URL components into a URL string.
47	Unmatched square brackets in the :attr:`netloc` attribute will raise a
48	:exc:`ValueError`.
49
50	+ Characters in the :attr:`netloc` attribute that decompose under NFKC
51	+ normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
52	+ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
53	+ decomposed before parsing, no error will be raised.
54	+
55	.. versionchanged:: 3.6
56	Out-of-range port numbers now raise :exc:`ValueError`, instead of
57	returning :const:`None`.
58
59	+ .. versionchanged:: 3.7.3
60	+ Characters that affect netloc parsing under NFKC normalization will
61	+ now raise :exc:`ValueError`.
62	+
63
64	.. function:: urlunsplit(parts)
65
66	diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
67	index be50b47603aa..e6638aee2244 100644
68	--- a/Lib/test/test_urlparse.py
69	+++ b/Lib/test/test_urlparse.py
70	@@ -1,3 +1,5 @@
71	+import sys
72	+import unicodedata
73	import unittest
74	import urllib.parse
75
76	@@ -984,6 +986,27 @@ def test_all(self):
77	expected.append(name)
78	self.assertCountEqual(urllib.parse.__all__, expected)
79
80	+ def test_urlsplit_normalization(self):
81	+ # Certain characters should never occur in the netloc,
82	+ # including under normalization.
83	+ # Ensure that ALL of them are detected and cause an error
84	+ illegal_chars = '/:#?@'
85	+ hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
86	+ denorm_chars = [
87	+ c for c in map(chr, range(128, sys.maxunicode))
88	+ if (hex_chars & set(unicodedata.decomposition(c).split()))
89	+ and c not in illegal_chars
90	+ ]
91	+ # Sanity check that we found at least one such character
92	+ self.assertIn('\u2100', denorm_chars)
93	+ self.assertIn('\uFF03', denorm_chars)
94	+
95	+ for scheme in ["http", "https", "ftp"]:
96	+ for c in denorm_chars:
97	+ url = "{}://netloc{}false.netloc/path".format(scheme, c)
98	+ with self.subTest(url=url, char='{:04X}'.format(ord(c))):
99	+ with self.assertRaises(ValueError):
100	+ urllib.parse.urlsplit(url)
101
102	class Utility_Tests(unittest.TestCase):
103	"""Testcase to test the various utility functions in the urllib."""
104	diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
105	index f691ab74f87f..39c5d6a80824 100644
106	--- a/Lib/urllib/parse.py
107	+++ b/Lib/urllib/parse.py
108	@@ -391,6 +391,21 @@ def _splitnetloc(url, start=0):
109	delim = min(delim, wdelim) # use earliest delim position
110	return url[start:delim], url[delim:] # return (domain, rest)
111
112	+def _checknetloc(netloc):
113	+ if not netloc or netloc.isascii():
114	+ return
115	+ # looking for characters like \u2100 that expand to 'a/c'
116	+ # IDNA uses NFKC equivalence, so normalize for this check
117	+ import unicodedata
118	+ netloc2 = unicodedata.normalize('NFKC', netloc)
119	+ if netloc == netloc2:
120	+ return
121	+ _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
122	+ for c in '/?#@:':
123	+ if c in netloc2:
124	+ raise ValueError("netloc '" + netloc2 + "' contains invalid " +
125	+ "characters under NFKC normalization")
126	+
127	def urlsplit(url, scheme='', allow_fragments=True):
128	"""Parse a URL into 5 components:
129	<scheme>://<netloc>/<path>?<query>#<fragment>
130	@@ -419,6 +434,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
131	url, fragment = url.split('#', 1)
132	if '?' in url:
133	url, query = url.split('?', 1)
134	+ _checknetloc(netloc)
135	v = SplitResult('http', netloc, url, query, fragment)
136	_parse_cache[key] = v
137	return _coerce_result(v)
138	@@ -442,6 +458,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
139	url, fragment = url.split('#', 1)
140	if '?' in url:
141	url, query = url.split('?', 1)
142	+ _checknetloc(netloc)
143	v = SplitResult(scheme, netloc, url, query, fragment)
144	_parse_cache[key] = v
145	return _coerce_result(v)
146	diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
147	new file mode 100644
148	index 000000000000..5546394157f9
149	--- /dev/null
150	+++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
151	@@ -0,0 +1,3 @@
152	+Changes urlsplit() to raise ValueError when the URL contains characters that
153	+decompose under IDNA encoding (NFKC-normalization) into characters that
154	+affect how the URL is parsed.


diff --git a/meta/recipes-devtools/python/python3_3.7.2.bb b/meta/recipes-devtools/python/python3_3.7.3.bb index 6da806bb93..1f1441f4ac 100644 --- a/meta/recipes-devtools/python/python3_3.7.2.bb +++ b/meta/recipes-devtools/python/python3_3.7.3.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.python.org"
3	LICENSE = "PSFv2"	3	LICENSE = "PSFv2"
4	SECTION = "devel/python"	4	SECTION = "devel/python"
5		5
6	LIC_FILES_CHKSUM = "file://LICENSE;md5=f257cc14f81685691652a3d3e1b5d754"	6	LIC_FILES_CHKSUM = "file://LICENSE;md5=e466242989bd33c1bd2b6a526a742498"
7		7
8	SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \	8	SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
9	file://run-ptest \	9	file://run-ptest \
@@ -22,8 +22,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
22	file://0002-Don-t-do-runtime-test-to-get-float-byte-order.patch \	22	file://0002-Don-t-do-runtime-test-to-get-float-byte-order.patch \
23	file://0003-setup.py-pass-missing-libraries-to-Extension-for-mul.patch \	23	file://0003-setup.py-pass-missing-libraries-to-Extension-for-mul.patch \
24	file://0001-Lib-sysconfig.py-fix-another-place-where-lib-is-hard.patch \	24	file://0001-Lib-sysconfig.py-fix-another-place-where-lib-is-hard.patch \
25	file://CVE-2018-20852.patch \
26	file://CVE-2019-9636.patch \
27	file://CVE-2019-9740.patch \	25	file://CVE-2019-9740.patch \
28	"	26	"
29		27
@@ -35,8 +33,8 @@ SRC_URI_append_class-nativesdk = " \
35	file://0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch \	33	file://0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch \
36	"	34	"
37		35
38	SRC_URI[md5sum] = "df6ec36011808205beda239c72f947cb"	36	SRC_URI[md5sum] = "93df27aec0cd18d6d42173e601ffbbfd"
39	SRC_URI[sha256sum] = "d83fe8ce51b1bb48bbcf0550fd265b9a75cdfdfa93f916f9e700aef8444bf1bb"	37	SRC_URI[sha256sum] = "da60b54064d4cfcd9c26576f6df2690e62085123826cff2e667e72a91952d318"
40		38
41	# exclude pre-releases for both python 2.x and 3.x	39	# exclude pre-releases for both python 2.x and 3.x
42	UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"	40	UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"