diff options
author | Alexander Kanavin <alex.kanavin@gmail.com> | 2019-10-01 22:58:16 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-10-08 22:51:35 +0100 |
commit | d1a785686f30838d6ff2702a557d996f6cecfbc0 (patch) | |
tree | da465a60f6bb8eeac9db9d38f556d9b5cce3d76a /meta/recipes-devtools/python/python3/CVE-2018-20852.patch | |
parent | b58c50811b5151fb7f9980cb99c32df4eebd0b88 (diff) | |
download | poky-d1a785686f30838d6ff2702a557d996f6cecfbc0.tar.gz |
python: update to 3.7.3
License-update: copyright years
(From OE-Core rev: 845b9a4ed2b83d716688a7b0d8bf13f37e79a025)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[ Backported patches removed. ]
Signed-off-by: Adrian Bunk <bunk@stusta.de>
[Bug fix only update]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/python/python3/CVE-2018-20852.patch')
-rw-r--r-- | meta/recipes-devtools/python/python3/CVE-2018-20852.patch | 124 |
1 files changed, 0 insertions, 124 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch deleted file mode 100644 index ff671d3fab..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch +++ /dev/null | |||
@@ -1,124 +0,0 @@ | |||
1 | From e5123d81ffb3be35a1b2767d6ced1a097aaf77be Mon Sep 17 00:00:00 2001 | ||
2 | From: "Miss Islington (bot)" | ||
3 | <31488909+miss-islington@users.noreply.github.com> | ||
4 | Date: Sat, 9 Mar 2019 18:58:25 -0800 | ||
5 | Subject: [PATCH] bpo-35121: prefix dot in domain for proper subdomain | ||
6 | validation (GH-10258) (GH-12261) | ||
7 | |||
8 | Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan. | ||
9 | (cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14) | ||
10 | |||
11 | Co-authored-by: Xtreak <tir.karthi@gmail.com> | ||
12 | Upstream-Status: Backport | ||
13 | CVE: CVE-2018-20852 | ||
14 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
15 | --- | ||
16 | Lib/http/cookiejar.py | 13 ++++++-- | ||
17 | Lib/test/test_http_cookiejar.py | 30 +++++++++++++++++++ | ||
18 | .../2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | 4 +++ | ||
19 | 3 files changed, 45 insertions(+), 2 deletions(-) | ||
20 | create mode 100644 Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | ||
21 | |||
22 | diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py | ||
23 | index e0f1032b2816..00cb1250a07e 100644 | ||
24 | --- a/Lib/http/cookiejar.py | ||
25 | +++ b/Lib/http/cookiejar.py | ||
26 | @@ -1145,6 +1145,11 @@ def return_ok_domain(self, cookie, request): | ||
27 | req_host, erhn = eff_request_host(request) | ||
28 | domain = cookie.domain | ||
29 | |||
30 | + if domain and not domain.startswith("."): | ||
31 | + dotdomain = "." + domain | ||
32 | + else: | ||
33 | + dotdomain = domain | ||
34 | + | ||
35 | # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't | ||
36 | if (cookie.version == 0 and | ||
37 | (self.strict_ns_domain & self.DomainStrictNonDomain) and | ||
38 | @@ -1157,7 +1162,7 @@ def return_ok_domain(self, cookie, request): | ||
39 | _debug(" effective request-host name %s does not domain-match " | ||
40 | "RFC 2965 cookie domain %s", erhn, domain) | ||
41 | return False | ||
42 | - if cookie.version == 0 and not ("."+erhn).endswith(domain): | ||
43 | + if cookie.version == 0 and not ("."+erhn).endswith(dotdomain): | ||
44 | _debug(" request-host %s does not match Netscape cookie domain " | ||
45 | "%s", req_host, domain) | ||
46 | return False | ||
47 | @@ -1171,7 +1176,11 @@ def domain_return_ok(self, domain, request): | ||
48 | req_host = "."+req_host | ||
49 | if not erhn.startswith("."): | ||
50 | erhn = "."+erhn | ||
51 | - if not (req_host.endswith(domain) or erhn.endswith(domain)): | ||
52 | + if domain and not domain.startswith("."): | ||
53 | + dotdomain = "." + domain | ||
54 | + else: | ||
55 | + dotdomain = domain | ||
56 | + if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)): | ||
57 | #_debug(" request domain %s does not match cookie domain %s", | ||
58 | # req_host, domain) | ||
59 | return False | ||
60 | diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py | ||
61 | index abc625d672a7..6e1b30881310 100644 | ||
62 | --- a/Lib/test/test_http_cookiejar.py | ||
63 | +++ b/Lib/test/test_http_cookiejar.py | ||
64 | @@ -415,6 +415,7 @@ def test_domain_return_ok(self): | ||
65 | ("http://foo.bar.com/", ".foo.bar.com", True), | ||
66 | ("http://foo.bar.com/", "foo.bar.com", True), | ||
67 | ("http://foo.bar.com/", ".bar.com", True), | ||
68 | + ("http://foo.bar.com/", "bar.com", True), | ||
69 | ("http://foo.bar.com/", "com", True), | ||
70 | ("http://foo.com/", "rhubarb.foo.com", False), | ||
71 | ("http://foo.com/", ".foo.com", True), | ||
72 | @@ -425,6 +426,8 @@ def test_domain_return_ok(self): | ||
73 | ("http://foo/", "foo", True), | ||
74 | ("http://foo/", "foo.local", True), | ||
75 | ("http://foo/", ".local", True), | ||
76 | + ("http://barfoo.com", ".foo.com", False), | ||
77 | + ("http://barfoo.com", "foo.com", False), | ||
78 | ]: | ||
79 | request = urllib.request.Request(url) | ||
80 | r = pol.domain_return_ok(domain, request) | ||
81 | @@ -959,6 +962,33 @@ def test_domain_block(self): | ||
82 | c.add_cookie_header(req) | ||
83 | self.assertFalse(req.has_header("Cookie")) | ||
84 | |||
85 | + c.clear() | ||
86 | + | ||
87 | + pol.set_blocked_domains([]) | ||
88 | + req = urllib.request.Request("http://acme.com/") | ||
89 | + res = FakeResponse(headers, "http://acme.com/") | ||
90 | + cookies = c.make_cookies(res, req) | ||
91 | + c.extract_cookies(res, req) | ||
92 | + self.assertEqual(len(c), 1) | ||
93 | + | ||
94 | + req = urllib.request.Request("http://acme.com/") | ||
95 | + c.add_cookie_header(req) | ||
96 | + self.assertTrue(req.has_header("Cookie")) | ||
97 | + | ||
98 | + req = urllib.request.Request("http://badacme.com/") | ||
99 | + c.add_cookie_header(req) | ||
100 | + self.assertFalse(pol.return_ok(cookies[0], req)) | ||
101 | + self.assertFalse(req.has_header("Cookie")) | ||
102 | + | ||
103 | + p = pol.set_blocked_domains(["acme.com"]) | ||
104 | + req = urllib.request.Request("http://acme.com/") | ||
105 | + c.add_cookie_header(req) | ||
106 | + self.assertFalse(req.has_header("Cookie")) | ||
107 | + | ||
108 | + req = urllib.request.Request("http://badacme.com/") | ||
109 | + c.add_cookie_header(req) | ||
110 | + self.assertFalse(req.has_header("Cookie")) | ||
111 | + | ||
112 | def test_secure(self): | ||
113 | for ns in True, False: | ||
114 | for whitespace in " ", "": | ||
115 | diff --git a/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | ||
116 | new file mode 100644 | ||
117 | index 000000000000..d2eb8f1f352c | ||
118 | --- /dev/null | ||
119 | +++ b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | ||
120 | @@ -0,0 +1,4 @@ | ||
121 | +Don't send cookies of domain A without Domain attribute to domain B | ||
122 | +when domain A is a suffix match of domain B while using a cookiejar | ||
123 | +with :class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by | ||
124 | +Karthikeyan Singaravelan. | ||