python: fix security vulnerability

This Fixes bug: [Yocto #1254] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1015 Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are now collapsed within the url properly before looking in cgi_directories. (From OE-Core rev: 43e7ec07065e58128819b0bb359358ce42628672) Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Nitin A Kamble <nitin.a.kamble@intel.com> 2011-07-19 15:42:48 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2011-07-22 11:51:05 +0100
commit: 9d4f709a454bb66729a629f6a9dfe3d04e068971 (patch)
tree: 958a132cca71b4e9a9af695c1c6d5b98abba66a1 /meta/recipes-devtools/python
parent: a70c1f6f78a8c349dcee284d82eaec876ebc4086 (diff)
download: poky-9d4f709a454bb66729a629f6a9dfe3d04e068971.tar.gz
3 files changed, 186 insertions, 1 deletions
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 25a458ef13..a6cc91789c 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.python.org"
 LICENSE = "PSF"
 SECTION = "devel/python"
 # bump this on every change in contrib/python/generate-manifest-2.6.py
-INC_PR = "nk2"
+INC_PR = "r2"
 DEFAULT_PREFERENCE = "-26"
diff --git a/meta/recipes-devtools/python/python/security_issue_2254_fix.patch b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
new file mode 100644
index 0000000000..f0328585d5
--- /dev/null
+++ b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
@@ -0,0 +1,184 @@
+Upstream-Status: Backport
+http://svn.python.org/view?view=revision&revision=71303
+Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
+  now collapsed within the url properly before looking in cgi_directories.
+Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com> 
+2011/07/19
+Index: Python-2.6.6/Lib/CGIHTTPServer.py
+===================================================================
+--- Python-2.6.6.orig/Lib/CGIHTTPServer.py
+++ Python-2.6.6/Lib/CGIHTTPServer.py
+@@ -70,27 +70,20 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
+             return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
+ 
+     def is_cgi(self):
+-        """Test whether self.path corresponds to a CGI script,
+-        and return a boolean.
+        """Test whether self.path corresponds to a CGI script.
+ 
+-        This function sets self.cgi_info to a tuple (dir, rest)
+-        when it returns True, where dir is the directory part before
+-        the CGI script name.  Note that rest begins with a
+-        slash if it is not empty.
+-
+-        The default implementation tests whether the path
+-        begins with one of the strings in the list
+-        self.cgi_directories (and the next character is a '/'
+-        or the end of the string).
+        Returns True and updates the cgi_info attribute to the tuple
+        (dir, rest) if self.path requires running a CGI script.
+        Returns False otherwise.
+
+        The default implementation tests whether the normalized url
+        path begins with one of the strings in self.cgi_directories
+        (and the next character is a '/' or the end of the string).
+         """
+-
+-        path = self.path
+-
+-        for x in self.cgi_directories:
+-            i = len(x)
+-            if path[:i] == x and (not path[i:] or path[i] == '/'):
+-                self.cgi_info = path[:i], path[i+1:]
+-                return True
+        splitpath = _url_collapse_path_split(self.path)
+        if splitpath[0] in self.cgi_directories:
+            self.cgi_info = splitpath
+            return True
+         return False
+ 
+     cgi_directories = ['/cgi-bin', '/htbin']
+@@ -299,6 +292,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
+                 self.log_message("CGI script exited OK")
+ 
+ 
+# TODO(gregory.p.smith): Move this into an appropriate library.
+def _url_collapse_path_split(path):
+    """
+    Given a URL path, remove extra '/'s and '.' path elements and collapse
+    any '..' references.
+
+    Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
+
+    Returns: A tuple of (head, tail) where tail is everything after the final /
+    and head is everything before it.  Head will always start with a '/' and,
+    if it contains anything else, never have a trailing '/'.
+
+    Raises: IndexError if too many '..' occur within the path.
+    """
+    # Similar to os.path.split(os.path.normpath(path)) but specific to URL
+    # path semantics rather than local operating system semantics.
+    path_parts = []
+    for part in path.split('/'):
+        if part == '.':
+            path_parts.append('')
+        else:
+            path_parts.append(part)
+    # Filter out blank non trailing parts before consuming the '..'.
+    path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
+    if path_parts:
+        tail_part = path_parts.pop()
+    else:
+        tail_part = ''
+    head_parts = []
+    for part in path_parts:
+        if part == '..':
+            head_parts.pop()
+        else:
+            head_parts.append(part)
+    if tail_part and tail_part == '..':
+        head_parts.pop()
+        tail_part = ''
+    return ('/' + '/'.join(head_parts), tail_part)
+
+
+ nobody = None
+ 
+ def nobody_uid():
+Index: Python-2.6.6/Lib/test/test_httpservers.py
+===================================================================
+--- Python-2.6.6.orig/Lib/test/test_httpservers.py
+++ Python-2.6.6/Lib/test/test_httpservers.py
+@@ -7,6 +7,7 @@ Josip Dzolonga, and Michael Otteneder fo
+ from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+ from SimpleHTTPServer import SimpleHTTPRequestHandler
+ from CGIHTTPServer import CGIHTTPRequestHandler
+import CGIHTTPServer
+ 
+ import os
+ import sys
+@@ -324,6 +325,45 @@ class CGIHTTPServerTestCase(BaseTestCase
+         finally:
+             BaseTestCase.tearDown(self)
+ 
+    def test_url_collapse_path_split(self):
+        test_vectors = {
+            '': ('/', ''),
+            '..': IndexError,
+            '/.//..': IndexError,
+            '/': ('/', ''),
+            '//': ('/', ''),
+            '/\\': ('/', '\\'),
+            '/.//': ('/', ''),
+            'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
+            '/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
+            'a': ('/', 'a'),
+            '/a': ('/', 'a'),
+            '//a': ('/', 'a'),
+            './a': ('/', 'a'),
+            './C:/': ('/C:', ''),
+            '/a/b': ('/a', 'b'),
+            '/a/b/': ('/a/b', ''),
+            '/a/b/c/..': ('/a/b', ''),
+            '/a/b/c/../d': ('/a/b', 'd'),
+            '/a/b/c/../d/e/../f': ('/a/b/d', 'f'),
+            '/a/b/c/../d/e/../../f': ('/a/b', 'f'),
+            '/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'),
+            '../a/b/c/../d/e/.././././..//f': IndexError,
+            '/a/b/c/../d/e/../../../f': ('/a', 'f'),
+            '/a/b/c/../d/e/../../../../f': ('/', 'f'),
+            '/a/b/c/../d/e/../../../../../f': IndexError,
+            '/a/b/c/../d/e/../../../../f/..': ('/', ''),
+        }
+        for path, expected in test_vectors.iteritems():
+            if isinstance(expected, type) and issubclass(expected, Exception):
+                self.assertRaises(expected,
+                                  CGIHTTPServer._url_collapse_path_split, path)
+            else:
+                actual = CGIHTTPServer._url_collapse_path_split(path)
+                self.assertEquals(expected, actual,
+                                  msg='path = %r\nGot:    %r\nWanted: %r' % (
+                                  path, actual, expected))
+
+     def test_headers_and_content(self):
+         res = self.request('/cgi-bin/file1.py')
+         self.assertEquals(('Hello World\n', 'text/html', 200), \
+@@ -348,6 +388,12 @@ class CGIHTTPServerTestCase(BaseTestCase
+         self.assertEquals(('Hello World\n', 'text/html', 200), \
+              (res.read(), res.getheader('Content-type'), res.status))
+ 
+    def test_no_leading_slash(self):
+        # http://bugs.python.org/issue2254
+        res = self.request('cgi-bin/file1.py')
+        self.assertEquals(('Hello World\n', 'text/html', 200),
+             (res.read(), res.getheader('Content-type'), res.status))
+
+ 
+ def test_main(verbose=None):
+     cwd = os.getcwd()
+Index: Python-2.6.6/Misc/NEWS
+===================================================================
+--- Python-2.6.6.orig/Misc/NEWS
+++ Python-2.6.6/Misc/NEWS
+@@ -137,6 +137,9 @@ C-API
+ Library
+ -------
+ 
+- Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
+  now collapsed within the url properly before looking in cgi_directories.
+
+ - Issue #8447: Make distutils.sysconfig follow symlinks in the path to
+   the interpreter executable.  This fixes a failure of test_httpservers
+   on OS X.
diff --git a/meta/recipes-devtools/python/python_2.6.6.bb b/meta/recipes-devtools/python/python_2.6.6.bb
index 598fea8143..f71440a592 100644
--- a/meta/recipes-devtools/python/python_2.6.6.bb
+++ b/meta/recipes-devtools/python/python_2.6.6.bb
@@ -19,6 +19,7 @@ SRC_URI = "\
  file://99-ignore-optimization-flag.patch \
  ${DISTRO_SRC_URI} \
  file://multilib.patch \
+  file://security_issue_2254_fix.patch \
 "
 SRC_URI[md5sum] = "cf4e6881bb84a7ce6089e4a307f71f14"
author	Nitin A Kamble <nitin.a.kamble@intel.com>	2011-07-19 15:42:48 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2011-07-22 11:51:05 +0100
commit	9d4f709a454bb66729a629f6a9dfe3d04e068971 (patch)
tree	958a132cca71b4e9a9af695c1c6d5b98abba66a1 /meta/recipes-devtools/python
parent	a70c1f6f78a8c349dcee284d82eaec876ebc4086 (diff)
download	poky-9d4f709a454bb66729a629f6a9dfe3d04e068971.tar.gz

diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc index 25a458ef13..a6cc91789c 100644 --- a/meta/recipes-devtools/python/python.inc +++ b/meta/recipes-devtools/python/python.inc
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.python.org"
3	LICENSE = "PSF"	3	LICENSE = "PSF"
4	SECTION = "devel/python"	4	SECTION = "devel/python"
5	# bump this on every change in contrib/python/generate-manifest-2.6.py	5	# bump this on every change in contrib/python/generate-manifest-2.6.py
6	INC_PR = "nk2"	6	INC_PR = "r2"
7		7
8	DEFAULT_PREFERENCE = "-26"	8	DEFAULT_PREFERENCE = "-26"
9		9


diff --git a/meta/recipes-devtools/python/python/security_issue_2254_fix.patch b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch new file mode 100644 index 0000000000..f0328585d5 --- /dev/null +++ b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
@@ -0,0 +1,184 @@
		1	Upstream-Status: Backport
		2	http://svn.python.org/view?view=revision&revision=71303
		3
		4	Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are
		5	now collapsed within the url properly before looking in cgi_directories.
		6	Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com>
		7	2011/07/19
		8
		9	Index: Python-2.6.6/Lib/CGIHTTPServer.py
		10	===================================================================
		11	--- Python-2.6.6.orig/Lib/CGIHTTPServer.py
		12	+++ Python-2.6.6/Lib/CGIHTTPServer.py
		13	@@ -70,27 +70,20 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
		14	return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
		15
		16	def is_cgi(self):
		17	- """Test whether self.path corresponds to a CGI script,
		18	- and return a boolean.
		19	+ """Test whether self.path corresponds to a CGI script.
		20
		21	- This function sets self.cgi_info to a tuple (dir, rest)
		22	- when it returns True, where dir is the directory part before
		23	- the CGI script name. Note that rest begins with a
		24	- slash if it is not empty.
		25	-
		26	- The default implementation tests whether the path
		27	- begins with one of the strings in the list
		28	- self.cgi_directories (and the next character is a '/'
		29	- or the end of the string).
		30	+ Returns True and updates the cgi_info attribute to the tuple
		31	+ (dir, rest) if self.path requires running a CGI script.
		32	+ Returns False otherwise.
		33	+
		34	+ The default implementation tests whether the normalized url
		35	+ path begins with one of the strings in self.cgi_directories
		36	+ (and the next character is a '/' or the end of the string).
		37	"""
		38	-
		39	- path = self.path
		40	-
		41	- for x in self.cgi_directories:
		42	- i = len(x)
		43	- if path[:i] == x and (not path[i:] or path[i] == '/'):
		44	- self.cgi_info = path[:i], path[i+1:]
		45	- return True
		46	+ splitpath = _url_collapse_path_split(self.path)
		47	+ if splitpath[0] in self.cgi_directories:
		48	+ self.cgi_info = splitpath
		49	+ return True
		50	return False
		51
		52	cgi_directories = ['/cgi-bin', '/htbin']
		53	@@ -299,6 +292,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
		54	self.log_message("CGI script exited OK")
		55
		56
		57	+# TODO(gregory.p.smith): Move this into an appropriate library.
		58	+def _url_collapse_path_split(path):
		59	+ """
		60	+ Given a URL path, remove extra '/'s and '.' path elements and collapse
		61	+ any '..' references.
		62	+
		63	+ Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
		64	+
		65	+ Returns: A tuple of (head, tail) where tail is everything after the final /
		66	+ and head is everything before it. Head will always start with a '/' and,
		67	+ if it contains anything else, never have a trailing '/'.
		68	+
		69	+ Raises: IndexError if too many '..' occur within the path.
		70	+ """
		71	+ # Similar to os.path.split(os.path.normpath(path)) but specific to URL
		72	+ # path semantics rather than local operating system semantics.
		73	+ path_parts = []
		74	+ for part in path.split('/'):
		75	+ if part == '.':
		76	+ path_parts.append('')
		77	+ else:
		78	+ path_parts.append(part)
		79	+ # Filter out blank non trailing parts before consuming the '..'.
		80	+ path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
		81	+ if path_parts:
		82	+ tail_part = path_parts.pop()
		83	+ else:
		84	+ tail_part = ''
		85	+ head_parts = []
		86	+ for part in path_parts:
		87	+ if part == '..':
		88	+ head_parts.pop()
		89	+ else:
		90	+ head_parts.append(part)
		91	+ if tail_part and tail_part == '..':
		92	+ head_parts.pop()
		93	+ tail_part = ''
		94	+ return ('/' + '/'.join(head_parts), tail_part)
		95	+
		96	+
		97	nobody = None
		98
		99	def nobody_uid():
		100	Index: Python-2.6.6/Lib/test/test_httpservers.py
		101	===================================================================
		102	--- Python-2.6.6.orig/Lib/test/test_httpservers.py
		103	+++ Python-2.6.6/Lib/test/test_httpservers.py
		104	@@ -7,6 +7,7 @@ Josip Dzolonga, and Michael Otteneder fo
		105	from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
		106	from SimpleHTTPServer import SimpleHTTPRequestHandler
		107	from CGIHTTPServer import CGIHTTPRequestHandler
		108	+import CGIHTTPServer
		109
		110	import os
		111	import sys
		112	@@ -324,6 +325,45 @@ class CGIHTTPServerTestCase(BaseTestCase
		113	finally:
		114	BaseTestCase.tearDown(self)
		115
		116	+ def test_url_collapse_path_split(self):
		117	+ test_vectors = {
		118	+ '': ('/', ''),
		119	+ '..': IndexError,
		120	+ '/.//..': IndexError,
		121	+ '/': ('/', ''),
		122	+ '//': ('/', ''),
		123	+ '/\\': ('/', '\\'),
		124	+ '/.//': ('/', ''),
		125	+ 'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
		126	+ '/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
		127	+ 'a': ('/', 'a'),
		128	+ '/a': ('/', 'a'),
		129	+ '//a': ('/', 'a'),
		130	+ './a': ('/', 'a'),
		131	+ './C:/': ('/C:', ''),
		132	+ '/a/b': ('/a', 'b'),
		133	+ '/a/b/': ('/a/b', ''),
		134	+ '/a/b/c/..': ('/a/b', ''),
		135	+ '/a/b/c/../d': ('/a/b', 'd'),
		136	+ '/a/b/c/../d/e/../f': ('/a/b/d', 'f'),
		137	+ '/a/b/c/../d/e/../../f': ('/a/b', 'f'),
		138	+ '/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'),
		139	+ '../a/b/c/../d/e/.././././..//f': IndexError,
		140	+ '/a/b/c/../d/e/../../../f': ('/a', 'f'),
		141	+ '/a/b/c/../d/e/../../../../f': ('/', 'f'),
		142	+ '/a/b/c/../d/e/../../../../../f': IndexError,
		143	+ '/a/b/c/../d/e/../../../../f/..': ('/', ''),
		144	+ }
		145	+ for path, expected in test_vectors.iteritems():
		146	+ if isinstance(expected, type) and issubclass(expected, Exception):
		147	+ self.assertRaises(expected,
		148	+ CGIHTTPServer._url_collapse_path_split, path)
		149	+ else:
		150	+ actual = CGIHTTPServer._url_collapse_path_split(path)
		151	+ self.assertEquals(expected, actual,
		152	+ msg='path = %r\nGot: %r\nWanted: %r' % (
		153	+ path, actual, expected))
		154	+
		155	def test_headers_and_content(self):
		156	res = self.request('/cgi-bin/file1.py')
		157	self.assertEquals(('Hello World\n', 'text/html', 200), \
		158	@@ -348,6 +388,12 @@ class CGIHTTPServerTestCase(BaseTestCase
		159	self.assertEquals(('Hello World\n', 'text/html', 200), \
		160	(res.read(), res.getheader('Content-type'), res.status))
		161
		162	+ def test_no_leading_slash(self):
		163	+ # http://bugs.python.org/issue2254
		164	+ res = self.request('cgi-bin/file1.py')
		165	+ self.assertEquals(('Hello World\n', 'text/html', 200),
		166	+ (res.read(), res.getheader('Content-type'), res.status))
		167	+
		168
		169	def test_main(verbose=None):
		170	cwd = os.getcwd()
		171	Index: Python-2.6.6/Misc/NEWS
		172	===================================================================
		173	--- Python-2.6.6.orig/Misc/NEWS
		174	+++ Python-2.6.6/Misc/NEWS
		175	@@ -137,6 +137,9 @@ C-API
		176	Library
		177	-------
		178
		179	+- Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are
		180	+ now collapsed within the url properly before looking in cgi_directories.
		181	+
		182	- Issue #8447: Make distutils.sysconfig follow symlinks in the path to
		183	the interpreter executable. This fixes a failure of test_httpservers
		184	on OS X.


diff --git a/meta/recipes-devtools/python/python_2.6.6.bb b/meta/recipes-devtools/python/python_2.6.6.bb index 598fea8143..f71440a592 100644 --- a/meta/recipes-devtools/python/python_2.6.6.bb +++ b/meta/recipes-devtools/python/python_2.6.6.bb
@@ -19,6 +19,7 @@ SRC_URI = "\
19	file://99-ignore-optimization-flag.patch \	19	file://99-ignore-optimization-flag.patch \
20	${DISTRO_SRC_URI} \	20	${DISTRO_SRC_URI} \
21	file://multilib.patch \	21	file://multilib.patch \
		22	file://security_issue_2254_fix.patch \
22	"	23	"
23		24
24	SRC_URI[md5sum] = "cf4e6881bb84a7ce6089e4a307f71f14"	25	SRC_URI[md5sum] = "cf4e6881bb84a7ce6089e4a307f71f14"