diff options
| author | Alexander Kanavin <alex.kanavin@gmail.com> | 2019-11-18 15:28:40 +0100 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-01-16 22:38:52 +0000 |
| commit | cc7bd259519ea11b279486648a45c79e1aba35d3 (patch) | |
| tree | 8d15bb332d2de43fa480d27da937af14317e285e /meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch | |
| parent | c8342197f862d71c74311a9c6c5d38fa05fef5ad (diff) | |
| download | poky-cc7bd259519ea11b279486648a45c79e1aba35d3.tar.gz | |
python: update to 2.7.17
Drop backports, rebase a couple of patches.
This is the second last release of py 2.x; upstream support ends on
1 January 2020, there will be one final 2.x afterwards.
Note that the only thing that still needs python 2.x in oe-core is
u-boot; when the next u-boot update arrives, we should find out
where the py3 migration is for that component before merging the
update.
(From OE-Core rev: 184b60eb905bb75ecc7a0c29a175e624d8555fac)
(From OE-Core rev: 7009d823a0799ce7132bd77329b273a476718c8c)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
[Minor fixup for warrior context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch')
| -rw-r--r-- | meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch | 81 |
1 files changed, 0 insertions, 81 deletions
diff --git a/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch b/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch deleted file mode 100644 index 1b6cb8cf3e..0000000000 --- a/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch +++ /dev/null | |||
| @@ -1,81 +0,0 @@ | |||
| 1 | From 5a1033fe5be764a135adcfff2fdc14edc3e5f327 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Changqing Li <changqing.li@windriver.com> | ||
| 3 | Date: Thu, 10 Oct 2019 16:32:19 +0800 | ||
| 4 | Subject: [PATCH] bpo-36742: Fixes handling of pre-normalization characters in | ||
| 5 | urlsplit() bpo-36742: Corrects fix to handle decomposition in usernames | ||
| 6 | |||
| 7 | Upstream-Status: Backport | ||
| 8 | |||
| 9 | https://github.com/python/cpython/commit/98a4dcefbbc3bce5ab07e7c0830a183157250259 | ||
| 10 | https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de#diff-b577545d73dd0cdb2c337a4c5f89e1d7 | ||
| 11 | |||
| 12 | CVE: CVE-2019-10160 | ||
| 13 | |||
| 14 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
| 15 | --- | ||
| 16 | Lib/test/test_urlparse.py | 19 +++++++++++++------ | ||
| 17 | Lib/urlparse.py | 14 +++++++++----- | ||
| 18 | 2 files changed, 22 insertions(+), 11 deletions(-) | ||
| 19 | |||
| 20 | diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py | ||
| 21 | index 1830d0b..857ed96 100644 | ||
| 22 | --- a/Lib/test/test_urlparse.py | ||
| 23 | +++ b/Lib/test/test_urlparse.py | ||
| 24 | @@ -641,13 +641,20 @@ class UrlParseTestCase(unittest.TestCase): | ||
| 25 | self.assertIn(u'\u2100', denorm_chars) | ||
| 26 | self.assertIn(u'\uFF03', denorm_chars) | ||
| 27 | |||
| 28 | + # bpo-36742: Verify port separators are ignored when they | ||
| 29 | + # existed prior to decomposition | ||
| 30 | + urlparse.urlsplit(u'http://\u30d5\u309a:80') | ||
| 31 | + with self.assertRaises(ValueError): | ||
| 32 | + urlparse.urlsplit(u'http://\u30d5\u309a\ufe1380') | ||
| 33 | + | ||
| 34 | for scheme in [u"http", u"https", u"ftp"]: | ||
| 35 | - for c in denorm_chars: | ||
| 36 | - url = u"{}://netloc{}false.netloc/path".format(scheme, c) | ||
| 37 | - if test_support.verbose: | ||
| 38 | - print "Checking %r" % url | ||
| 39 | - with self.assertRaises(ValueError): | ||
| 40 | - urlparse.urlsplit(url) | ||
| 41 | + for netloc in [u"netloc{}false.netloc", u"n{}user@netloc"]: | ||
| 42 | + for c in denorm_chars: | ||
| 43 | + url = u"{}://{}/path".format(scheme, netloc.format(c)) | ||
| 44 | + if test_support.verbose: | ||
| 45 | + print "Checking %r" % url | ||
| 46 | + with self.assertRaises(ValueError): | ||
| 47 | + urlparse.urlsplit(url) | ||
| 48 | |||
| 49 | def test_main(): | ||
| 50 | test_support.run_unittest(UrlParseTestCase) | ||
| 51 | diff --git a/Lib/urlparse.py b/Lib/urlparse.py | ||
| 52 | index 54eda08..e34b368 100644 | ||
| 53 | --- a/Lib/urlparse.py | ||
| 54 | +++ b/Lib/urlparse.py | ||
| 55 | @@ -171,14 +171,18 @@ def _checknetloc(netloc): | ||
| 56 | # looking for characters like \u2100 that expand to 'a/c' | ||
| 57 | # IDNA uses NFKC equivalence, so normalize for this check | ||
| 58 | import unicodedata | ||
| 59 | - netloc2 = unicodedata.normalize('NFKC', netloc) | ||
| 60 | - if netloc == netloc2: | ||
| 61 | + n = netloc.replace(u'@', u'') # ignore characters already included | ||
| 62 | + n = n.replace(u':', u'') # but not the surrounding text | ||
| 63 | + n = n.replace(u'#', u'') | ||
| 64 | + n = n.replace(u'?', u'') | ||
| 65 | + | ||
| 66 | + netloc2 = unicodedata.normalize('NFKC', n) | ||
| 67 | + if n == netloc2: | ||
| 68 | return | ||
| 69 | - _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay | ||
| 70 | for c in '/?#@:': | ||
| 71 | if c in netloc2: | ||
| 72 | - raise ValueError("netloc '" + netloc2 + "' contains invalid " + | ||
| 73 | - "characters under NFKC normalization") | ||
| 74 | + raise ValueError(u"netloc '" + netloc + u"' contains invalid " + | ||
| 75 | + u"characters under NFKC normalization") | ||
| 76 | |||
| 77 | def urlsplit(url, scheme='', allow_fragments=True): | ||
| 78 | """Parse a URL into 5 components: | ||
| 79 | -- | ||
| 80 | 2.7.4 | ||
| 81 | |||