diff options
author | Changqing Li <changqing.li@windriver.com> | 2019-10-29 10:47:27 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-10-30 13:47:54 +0000 |
commit | f29207ae997e829fcdf781ce3b566c96da3c9390 (patch) | |
tree | 441144cb571a10a6bbff9c64d1d408c3a4f642bc /meta/recipes-devtools/python | |
parent | 0e55cd3815cd47d5f3d7de51dfccc14cbeb1250d (diff) | |
download | poky-f29207ae997e829fcdf781ce3b566c96da3c9390.tar.gz |
python: Fix CVE-2019-10160
(From OE-Core rev: 23d48f2bea2d358bd8d7d4efd07792bc1f3666bd)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit b4240b585d7fcac2fdbf33a8e72d48cb732eb696)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 10d87a3085665a959a5fda64ae3895cb27ddf343)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/python')
-rw-r--r-- | meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch | 81 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python_2.7.16.bb | 1 |
2 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch b/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch new file mode 100644 index 0000000000..1b6cb8cf3e --- /dev/null +++ b/meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch | |||
@@ -0,0 +1,81 @@ | |||
1 | From 5a1033fe5be764a135adcfff2fdc14edc3e5f327 Mon Sep 17 00:00:00 2001 | ||
2 | From: Changqing Li <changqing.li@windriver.com> | ||
3 | Date: Thu, 10 Oct 2019 16:32:19 +0800 | ||
4 | Subject: [PATCH] bpo-36742: Fixes handling of pre-normalization characters in | ||
5 | urlsplit() bpo-36742: Corrects fix to handle decomposition in usernames | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | |||
9 | https://github.com/python/cpython/commit/98a4dcefbbc3bce5ab07e7c0830a183157250259 | ||
10 | https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de#diff-b577545d73dd0cdb2c337a4c5f89e1d7 | ||
11 | |||
12 | CVE: CVE-2019-10160 | ||
13 | |||
14 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
15 | --- | ||
16 | Lib/test/test_urlparse.py | 19 +++++++++++++------ | ||
17 | Lib/urlparse.py | 14 +++++++++----- | ||
18 | 2 files changed, 22 insertions(+), 11 deletions(-) | ||
19 | |||
20 | diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py | ||
21 | index 1830d0b..857ed96 100644 | ||
22 | --- a/Lib/test/test_urlparse.py | ||
23 | +++ b/Lib/test/test_urlparse.py | ||
24 | @@ -641,13 +641,20 @@ class UrlParseTestCase(unittest.TestCase): | ||
25 | self.assertIn(u'\u2100', denorm_chars) | ||
26 | self.assertIn(u'\uFF03', denorm_chars) | ||
27 | |||
28 | + # bpo-36742: Verify port separators are ignored when they | ||
29 | + # existed prior to decomposition | ||
30 | + urlparse.urlsplit(u'http://\u30d5\u309a:80') | ||
31 | + with self.assertRaises(ValueError): | ||
32 | + urlparse.urlsplit(u'http://\u30d5\u309a\ufe1380') | ||
33 | + | ||
34 | for scheme in [u"http", u"https", u"ftp"]: | ||
35 | - for c in denorm_chars: | ||
36 | - url = u"{}://netloc{}false.netloc/path".format(scheme, c) | ||
37 | - if test_support.verbose: | ||
38 | - print "Checking %r" % url | ||
39 | - with self.assertRaises(ValueError): | ||
40 | - urlparse.urlsplit(url) | ||
41 | + for netloc in [u"netloc{}false.netloc", u"n{}user@netloc"]: | ||
42 | + for c in denorm_chars: | ||
43 | + url = u"{}://{}/path".format(scheme, netloc.format(c)) | ||
44 | + if test_support.verbose: | ||
45 | + print "Checking %r" % url | ||
46 | + with self.assertRaises(ValueError): | ||
47 | + urlparse.urlsplit(url) | ||
48 | |||
49 | def test_main(): | ||
50 | test_support.run_unittest(UrlParseTestCase) | ||
51 | diff --git a/Lib/urlparse.py b/Lib/urlparse.py | ||
52 | index 54eda08..e34b368 100644 | ||
53 | --- a/Lib/urlparse.py | ||
54 | +++ b/Lib/urlparse.py | ||
55 | @@ -171,14 +171,18 @@ def _checknetloc(netloc): | ||
56 | # looking for characters like \u2100 that expand to 'a/c' | ||
57 | # IDNA uses NFKC equivalence, so normalize for this check | ||
58 | import unicodedata | ||
59 | - netloc2 = unicodedata.normalize('NFKC', netloc) | ||
60 | - if netloc == netloc2: | ||
61 | + n = netloc.replace(u'@', u'') # ignore characters already included | ||
62 | + n = n.replace(u':', u'') # but not the surrounding text | ||
63 | + n = n.replace(u'#', u'') | ||
64 | + n = n.replace(u'?', u'') | ||
65 | + | ||
66 | + netloc2 = unicodedata.normalize('NFKC', n) | ||
67 | + if n == netloc2: | ||
68 | return | ||
69 | - _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay | ||
70 | for c in '/?#@:': | ||
71 | if c in netloc2: | ||
72 | - raise ValueError("netloc '" + netloc2 + "' contains invalid " + | ||
73 | - "characters under NFKC normalization") | ||
74 | + raise ValueError(u"netloc '" + netloc + u"' contains invalid " + | ||
75 | + u"characters under NFKC normalization") | ||
76 | |||
77 | def urlsplit(url, scheme='', allow_fragments=True): | ||
78 | """Parse a URL into 5 components: | ||
79 | -- | ||
80 | 2.7.4 | ||
81 | |||
diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.16.bb index b263e7214c..1c7c58199f 100644 --- a/meta/recipes-devtools/python/python_2.7.16.bb +++ b/meta/recipes-devtools/python/python_2.7.16.bb | |||
@@ -31,6 +31,7 @@ SRC_URI += " \ | |||
31 | file://float-endian.patch \ | 31 | file://float-endian.patch \ |
32 | file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \ | 32 | file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \ |
33 | file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \ | 33 | file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \ |
34 | file://bpo-36742-cve-2019-10160.patch \ | ||
34 | " | 35 | " |
35 | 36 | ||
36 | S = "${WORKDIR}/Python-${PV}" | 37 | S = "${WORKDIR}/Python-${PV}" |