summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/python
diff options
context:
space:
mode:
authorLee Chee Yang <chee.yang.lee@intel.com>2020-10-19 20:59:56 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-10-27 22:42:20 +0000
commit002113701a6db5c2ecbcf87e222494e94aaaf05f (patch)
treedbb58b779baf1f685430dd31991096fb55ce025f /meta/recipes-devtools/python
parent781175443f55b0a8116a1f79eda0f87dd6c46b09 (diff)
downloadpoky-002113701a6db5c2ecbcf87e222494e94aaaf05f.tar.gz
python3: fix CVE-2020-26116
(From OE-Core rev: 2f607a61a820bfbc369f779c3161a339f088d04f) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/python')
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2020-26116.patch104
-rw-r--r--meta/recipes-devtools/python/python3_3.8.2.bb1
2 files changed, 105 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-26116.patch b/meta/recipes-devtools/python/python3/CVE-2020-26116.patch
new file mode 100644
index 0000000000..c019db2a76
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2020-26116.patch
@@ -0,0 +1,104 @@
1From 668d321476d974c4f51476b33aaca870272523bf Mon Sep 17 00:00:00 2001
2From: "Miss Islington (bot)"
3 <31488909+miss-islington@users.noreply.github.com>
4Date: Sat, 18 Jul 2020 13:39:12 -0700
5Subject: [PATCH] bpo-39603: Prevent header injection in http methods
6 (GH-18485)
7
8reject control chars in http method in http.client.putrequest to prevent http header injection
9(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e)
10
11Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
12
13Upstream-Status: Backport [https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf]
14CVE: CVE-2020-26116
15Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
16
17---
18 Lib/http/client.py | 15 +++++++++++++
19 Lib/test/test_httplib.py | 22 +++++++++++++++++++
20 .../2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst | 2 ++
21 3 files changed, 39 insertions(+)
22 create mode 100644 Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
23
24diff --git a/Lib/http/client.py b/Lib/http/client.py
25index 019380a720318..c2ad0471bfee5 100644
26--- a/Lib/http/client.py
27+++ b/Lib/http/client.py
28@@ -147,6 +147,10 @@
29 # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
30 # We are more lenient for assumed real world compatibility purposes.
31
32+# These characters are not allowed within HTTP method names
33+# to prevent http header injection.
34+_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
35+
36 # We always set the Content-Length header for these methods because some
37 # servers will otherwise respond with a 411
38 _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
39@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False,
40 else:
41 raise CannotSendRequest(self.__state)
42
43+ self._validate_method(method)
44+
45 # Save the method for use later in the response phase
46 self._method = method
47
48@@ -1177,6 +1183,15 @@ def _encode_request(self, request):
49 # ASCII also helps prevent CVE-2019-9740.
50 return request.encode('ascii')
51
52+ def _validate_method(self, method):
53+ """Validate a method name for putrequest."""
54+ # prevent http header injection
55+ match = _contains_disallowed_method_pchar_re.search(method)
56+ if match:
57+ raise ValueError(
58+ f"method can't contain control characters. {method!r} "
59+ f"(found at least {match.group()!r})")
60+
61 def _validate_path(self, url):
62 """Validate a url for putrequest."""
63 # Prevent CVE-2019-9740.
64diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
65index 8f0e27a1fb836..5a5fcecbc9c15 100644
66--- a/Lib/test/test_httplib.py
67+++ b/Lib/test/test_httplib.py
68@@ -364,6 +364,28 @@ def test_headers_debuglevel(self):
69 self.assertEqual(lines[3], "header: Second: val2")
70
71
72+class HttpMethodTests(TestCase):
73+ def test_invalid_method_names(self):
74+ methods = (
75+ 'GET\r',
76+ 'POST\n',
77+ 'PUT\n\r',
78+ 'POST\nValue',
79+ 'POST\nHOST:abc',
80+ 'GET\nrHost:abc\n',
81+ 'POST\rRemainder:\r',
82+ 'GET\rHOST:\n',
83+ '\nPUT'
84+ )
85+
86+ for method in methods:
87+ with self.assertRaisesRegex(
88+ ValueError, "method can't contain control characters"):
89+ conn = client.HTTPConnection('example.com')
90+ conn.sock = FakeSocket(None)
91+ conn.request(method=method, url="/")
92+
93+
94 class TransferEncodingTest(TestCase):
95 expected_body = b"It's just a flesh wound"
96
97diff --git a/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
98new file mode 100644
99index 0000000000000..990affc3edd9d
100--- /dev/null
101+++ b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
102@@ -0,0 +1,2 @@
103+Prevent http header injection by rejecting control characters in
104+http.client.putrequest(...).
diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.2.bb
index 99d9f6748f..169bc87988 100644
--- a/meta/recipes-devtools/python/python3_3.8.2.bb
+++ b/meta/recipes-devtools/python/python3_3.8.2.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
34 file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ 34 file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
35 file://0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch \ 35 file://0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch \
36 file://CVE-2020-14422.patch \ 36 file://CVE-2020-14422.patch \
37 file://CVE-2020-26116.patch \
37 " 38 "
38 39
39SRC_URI_append_class-native = " \ 40SRC_URI_append_class-native = " \