python: Fix CVE-2019-10160

(From OE-Core rev: 23d48f2bea2d358bd8d7d4efd07792bc1f3666bd) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit b4240b585d7fcac2fdbf33a8e72d48cb732eb696) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 10d87a3085665a959a5fda64ae3895cb27ddf343) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Changqing Li <changqing.li@windriver.com> 2019-10-29 10:47:27 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-10-30 13:47:54 +0000
commit: f29207ae997e829fcdf781ce3b566c96da3c9390 (patch)
tree: 441144cb571a10a6bbff9c64d1d408c3a4f642bc
parent: 0e55cd3815cd47d5f3d7de51dfccc14cbeb1250d (diff)
download: poky-f29207ae997e829fcdf781ce3b566c96da3c9390.tar.gz
2 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch b/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
new file mode 100644
index 0000000000..1b6cb8cf3e
--- /dev/null
+++ b/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
@@ -0,0 +1,81 @@
+From 5a1033fe5be764a135adcfff2fdc14edc3e5f327 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 10 Oct 2019 16:32:19 +0800
+Subject: [PATCH] bpo-36742: Fixes handling of pre-normalization characters in
+ urlsplit() bpo-36742: Corrects fix to handle decomposition in usernames
+Upstream-Status: Backport
+https://github.com/python/cpython/commit/98a4dcefbbc3bce5ab07e7c0830a183157250259
+https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de#diff-b577545d73dd0cdb2c337a4c5f89e1d7
+CVE: CVE-2019-10160
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ Lib/test/test_urlparse.py | 19 +++++++++++++------
+ Lib/urlparse.py           | 14 +++++++++-----
+ 2 files changed, 22 insertions(+), 11 deletions(-)
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 1830d0b..857ed96 100644
+--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
+@@ -641,13 +641,20 @@ class UrlParseTestCase(unittest.TestCase):
+         self.assertIn(u'\u2100', denorm_chars)
+         self.assertIn(u'\uFF03', denorm_chars)
+ 
+        # bpo-36742: Verify port separators are ignored when they
+        # existed prior to decomposition
+        urlparse.urlsplit(u'http://\u30d5\u309a:80')
+        with self.assertRaises(ValueError):
+            urlparse.urlsplit(u'http://\u30d5\u309a\ufe1380')
+
+         for scheme in [u"http", u"https", u"ftp"]:
+-            for c in denorm_chars:
+-                url = u"{}://netloc{}false.netloc/path".format(scheme, c)
+-                if test_support.verbose:
+-                    print "Checking %r" % url
+-                with self.assertRaises(ValueError):
+-                    urlparse.urlsplit(url)
+            for netloc in [u"netloc{}false.netloc", u"n{}user@netloc"]:
+                for c in denorm_chars:
+                    url = u"{}://{}/path".format(scheme, netloc.format(c))
+                    if test_support.verbose:
+                        print "Checking %r" % url
+                    with self.assertRaises(ValueError):
+                        urlparse.urlsplit(url)
+ 
+ def test_main():
+     test_support.run_unittest(UrlParseTestCase)
+diff --git a/Lib/urlparse.py b/Lib/urlparse.py
+index 54eda08..e34b368 100644
+--- a/Lib/urlparse.py
+++ b/Lib/urlparse.py
+@@ -171,14 +171,18 @@ def _checknetloc(netloc):
+     # looking for characters like \u2100 that expand to 'a/c'
+     # IDNA uses NFKC equivalence, so normalize for this check
+     import unicodedata
+-    netloc2 = unicodedata.normalize('NFKC', netloc)
+-    if netloc == netloc2:
+    n = netloc.replace(u'@', u'') # ignore characters already included
+    n = n.replace(u':', u'')      # but not the surrounding text
+    n = n.replace(u'#', u'')
+    n = n.replace(u'?', u'')
+
+    netloc2 = unicodedata.normalize('NFKC', n)
+    if n == netloc2:
+         return
+-    _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
+     for c in '/?#@:':
+         if c in netloc2:
+-            raise ValueError("netloc '" + netloc2 + "' contains invalid " +
+-                             "characters under NFKC normalization")
+            raise ValueError(u"netloc '" + netloc + u"' contains invalid " +
+                             u"characters under NFKC normalization")
+ 
+ def urlsplit(url, scheme='', allow_fragments=True):
+     """Parse a URL into 5 components:
+-- 
+2.7.4
diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.16.bb
index b263e7214c..1c7c58199f 100644
--- a/meta/recipes-devtools/python/python_2.7.16.bb
+++ b/meta/recipes-devtools/python/python_2.7.16.bb
@@ -31,6 +31,7 @@ SRC_URI += " \
           file://float-endian.patch \
           file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \
           file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \
+           file://bpo-36742-cve-2019-10160.patch \
 "
 S = "${WORKDIR}/Python-${PV}"
author	Changqing Li <changqing.li@windriver.com>	2019-10-29 10:47:27 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-30 13:47:54 +0000
commit	f29207ae997e829fcdf781ce3b566c96da3c9390 (patch)
tree	441144cb571a10a6bbff9c64d1d408c3a4f642bc
parent	0e55cd3815cd47d5f3d7de51dfccc14cbeb1250d (diff)
download	poky-f29207ae997e829fcdf781ce3b566c96da3c9390.tar.gz

diff --git a/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch b/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch new file mode 100644 index 0000000000..1b6cb8cf3e --- /dev/null +++ b/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
@@ -0,0 +1,81 @@
		1	From 5a1033fe5be764a135adcfff2fdc14edc3e5f327 Mon Sep 17 00:00:00 2001
		2	From: Changqing Li <changqing.li@windriver.com>
		3	Date: Thu, 10 Oct 2019 16:32:19 +0800
		4	Subject: [PATCH] bpo-36742: Fixes handling of pre-normalization characters in
		5	urlsplit() bpo-36742: Corrects fix to handle decomposition in usernames
		6
		7	Upstream-Status: Backport
		8
		9	https://github.com/python/cpython/commit/98a4dcefbbc3bce5ab07e7c0830a183157250259
		10	https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de#diff-b577545d73dd0cdb2c337a4c5f89e1d7
		11
		12	CVE: CVE-2019-10160
		13
		14	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		15	---
		16	Lib/test/test_urlparse.py \| 19 +++++++++++++------
		17	Lib/urlparse.py \| 14 +++++++++-----
		18	2 files changed, 22 insertions(+), 11 deletions(-)
		19
		20	diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
		21	index 1830d0b..857ed96 100644
		22	--- a/Lib/test/test_urlparse.py
		23	+++ b/Lib/test/test_urlparse.py
		24	@@ -641,13 +641,20 @@ class UrlParseTestCase(unittest.TestCase):
		25	self.assertIn(u'\u2100', denorm_chars)
		26	self.assertIn(u'\uFF03', denorm_chars)
		27
		28	+ # bpo-36742: Verify port separators are ignored when they
		29	+ # existed prior to decomposition
		30	+ urlparse.urlsplit(u'http://\u30d5\u309a:80')
		31	+ with self.assertRaises(ValueError):
		32	+ urlparse.urlsplit(u'http://\u30d5\u309a\ufe1380')
		33	+
		34	for scheme in [u"http", u"https", u"ftp"]:
		35	- for c in denorm_chars:
		36	- url = u"{}://netloc{}false.netloc/path".format(scheme, c)
		37	- if test_support.verbose:
		38	- print "Checking %r" % url
		39	- with self.assertRaises(ValueError):
		40	- urlparse.urlsplit(url)
		41	+ for netloc in [u"netloc{}false.netloc", u"n{}user@netloc"]:
		42	+ for c in denorm_chars:
		43	+ url = u"{}://{}/path".format(scheme, netloc.format(c))
		44	+ if test_support.verbose:
		45	+ print "Checking %r" % url
		46	+ with self.assertRaises(ValueError):
		47	+ urlparse.urlsplit(url)
		48
		49	def test_main():
		50	test_support.run_unittest(UrlParseTestCase)
		51	diff --git a/Lib/urlparse.py b/Lib/urlparse.py
		52	index 54eda08..e34b368 100644
		53	--- a/Lib/urlparse.py
		54	+++ b/Lib/urlparse.py
		55	@@ -171,14 +171,18 @@ def _checknetloc(netloc):
		56	# looking for characters like \u2100 that expand to 'a/c'
		57	# IDNA uses NFKC equivalence, so normalize for this check
		58	import unicodedata
		59	- netloc2 = unicodedata.normalize('NFKC', netloc)
		60	- if netloc == netloc2:
		61	+ n = netloc.replace(u'@', u'') # ignore characters already included
		62	+ n = n.replace(u':', u'') # but not the surrounding text
		63	+ n = n.replace(u'#', u'')
		64	+ n = n.replace(u'?', u'')
		65	+
		66	+ netloc2 = unicodedata.normalize('NFKC', n)
		67	+ if n == netloc2:
		68	return
		69	- _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
		70	for c in '/?#@:':
		71	if c in netloc2:
		72	- raise ValueError("netloc '" + netloc2 + "' contains invalid " +
		73	- "characters under NFKC normalization")
		74	+ raise ValueError(u"netloc '" + netloc + u"' contains invalid " +
		75	+ u"characters under NFKC normalization")
		76
		77	def urlsplit(url, scheme='', allow_fragments=True):
		78	"""Parse a URL into 5 components:
		79	--
		80	2.7.4
		81


diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.16.bb index b263e7214c..1c7c58199f 100644 --- a/meta/recipes-devtools/python/python_2.7.16.bb +++ b/meta/recipes-devtools/python/python_2.7.16.bb
@@ -31,6 +31,7 @@ SRC_URI += " \
31	file://float-endian.patch \	31	file://float-endian.patch \
32	file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \	32	file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \
33	file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \	33	file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \
		34	file://bpo-36742-cve-2019-10160.patch \
34	"	35	"
35		36
36	S = "${WORKDIR}/Python-${PV}"	37	S = "${WORKDIR}/Python-${PV}"