diff options
author | Anuj Mittal <anuj.mittal@intel.com> | 2019-07-31 12:54:54 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-31 23:03:01 +0100 |
commit | a6854bc41bcdadce50a5c1aec8baa9ab52567030 (patch) | |
tree | 0a30e8019c95d3540b02e72e079bef8ad65d4ba3 /meta/recipes-devtools/python | |
parent | da6a60239853300466cee05d9fa9ab30ea223e33 (diff) | |
download | poky-a6854bc41bcdadce50a5c1aec8baa9ab52567030.tar.gz |
python: fix CVE-2018-20852
(From OE-Core rev: 04fc80b2c77a177601584500f0f3048d80095ad7)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/python')
-rw-r--r-- | meta/recipes-devtools/python/python.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python/CVE-2018-20852.patch | 123 |
2 files changed, 124 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc index 8d0e90862c..70481002bb 100644 --- a/meta/recipes-devtools/python/python.inc +++ b/meta/recipes-devtools/python/python.inc | |||
@@ -13,6 +13,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ | |||
13 | file://bpo-36216-cve-2019-9636.patch \ | 13 | file://bpo-36216-cve-2019-9636.patch \ |
14 | file://bpo-36216-cve-2019-9636-fix.patch \ | 14 | file://bpo-36216-cve-2019-9636-fix.patch \ |
15 | file://CVE-2019-9740.patch \ | 15 | file://CVE-2019-9740.patch \ |
16 | file://CVE-2018-20852.patch \ | ||
16 | " | 17 | " |
17 | 18 | ||
18 | SRC_URI[md5sum] = "30157d85a2c0479c09ea2cbe61f2aaf5" | 19 | SRC_URI[md5sum] = "30157d85a2c0479c09ea2cbe61f2aaf5" |
diff --git a/meta/recipes-devtools/python/python/CVE-2018-20852.patch b/meta/recipes-devtools/python/python/CVE-2018-20852.patch new file mode 100644 index 0000000000..23c784a210 --- /dev/null +++ b/meta/recipes-devtools/python/python/CVE-2018-20852.patch | |||
@@ -0,0 +1,123 @@ | |||
1 | From 979daae300916adb399ab5b51410b6ebd0888f13 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xtreak <tir.karthi@gmail.com> | ||
3 | Date: Sat, 15 Jun 2019 20:59:43 +0530 | ||
4 | Subject: [PATCH] [2.7] bpo-35121: prefix dot in domain for proper subdomain | ||
5 | validation (GH-10258) (GH-13426) | ||
6 | |||
7 | This is a manual backport of ca7fe5063593958e5efdf90f068582837f07bd14 since 2.7 has `http.cookiejar` in `cookielib` | ||
8 | |||
9 | |||
10 | https://bugs.python.org/issue35121 | ||
11 | CVE: CVE-2018-20852 | ||
12 | Upstream-Status: Backport [https://github.com/python/cpython/pull/13426] | ||
13 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
14 | --- | ||
15 | Lib/cookielib.py | 13 ++++++-- | ||
16 | Lib/test/test_cookielib.py | 30 +++++++++++++++++++ | ||
17 | .../2019-05-20-00-35-12.bpo-35121.RRi-HU.rst | 4 +++ | ||
18 | 3 files changed, 45 insertions(+), 2 deletions(-) | ||
19 | create mode 100644 Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst | ||
20 | |||
21 | diff --git a/Lib/cookielib.py b/Lib/cookielib.py | ||
22 | index 2dd7c48728e0..0b471a42f296 100644 | ||
23 | --- a/Lib/cookielib.py | ||
24 | +++ b/Lib/cookielib.py | ||
25 | @@ -1139,6 +1139,11 @@ def return_ok_domain(self, cookie, request): | ||
26 | req_host, erhn = eff_request_host(request) | ||
27 | domain = cookie.domain | ||
28 | |||
29 | + if domain and not domain.startswith("."): | ||
30 | + dotdomain = "." + domain | ||
31 | + else: | ||
32 | + dotdomain = domain | ||
33 | + | ||
34 | # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't | ||
35 | if (cookie.version == 0 and | ||
36 | (self.strict_ns_domain & self.DomainStrictNonDomain) and | ||
37 | @@ -1151,7 +1156,7 @@ def return_ok_domain(self, cookie, request): | ||
38 | _debug(" effective request-host name %s does not domain-match " | ||
39 | "RFC 2965 cookie domain %s", erhn, domain) | ||
40 | return False | ||
41 | - if cookie.version == 0 and not ("."+erhn).endswith(domain): | ||
42 | + if cookie.version == 0 and not ("."+erhn).endswith(dotdomain): | ||
43 | _debug(" request-host %s does not match Netscape cookie domain " | ||
44 | "%s", req_host, domain) | ||
45 | return False | ||
46 | @@ -1165,7 +1170,11 @@ def domain_return_ok(self, domain, request): | ||
47 | req_host = "."+req_host | ||
48 | if not erhn.startswith("."): | ||
49 | erhn = "."+erhn | ||
50 | - if not (req_host.endswith(domain) or erhn.endswith(domain)): | ||
51 | + if domain and not domain.startswith("."): | ||
52 | + dotdomain = "." + domain | ||
53 | + else: | ||
54 | + dotdomain = domain | ||
55 | + if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)): | ||
56 | #_debug(" request domain %s does not match cookie domain %s", | ||
57 | # req_host, domain) | ||
58 | return False | ||
59 | diff --git a/Lib/test/test_cookielib.py b/Lib/test/test_cookielib.py | ||
60 | index f2dd9727d137..7f7ff614d61d 100644 | ||
61 | --- a/Lib/test/test_cookielib.py | ||
62 | +++ b/Lib/test/test_cookielib.py | ||
63 | @@ -368,6 +368,7 @@ def test_domain_return_ok(self): | ||
64 | ("http://foo.bar.com/", ".foo.bar.com", True), | ||
65 | ("http://foo.bar.com/", "foo.bar.com", True), | ||
66 | ("http://foo.bar.com/", ".bar.com", True), | ||
67 | + ("http://foo.bar.com/", "bar.com", True), | ||
68 | ("http://foo.bar.com/", "com", True), | ||
69 | ("http://foo.com/", "rhubarb.foo.com", False), | ||
70 | ("http://foo.com/", ".foo.com", True), | ||
71 | @@ -378,6 +379,8 @@ def test_domain_return_ok(self): | ||
72 | ("http://foo/", "foo", True), | ||
73 | ("http://foo/", "foo.local", True), | ||
74 | ("http://foo/", ".local", True), | ||
75 | + ("http://barfoo.com", ".foo.com", False), | ||
76 | + ("http://barfoo.com", "foo.com", False), | ||
77 | ]: | ||
78 | request = urllib2.Request(url) | ||
79 | r = pol.domain_return_ok(domain, request) | ||
80 | @@ -938,6 +941,33 @@ def test_domain_block(self): | ||
81 | c.add_cookie_header(req) | ||
82 | self.assertFalse(req.has_header("Cookie")) | ||
83 | |||
84 | + c.clear() | ||
85 | + | ||
86 | + pol.set_blocked_domains([]) | ||
87 | + req = Request("http://acme.com/") | ||
88 | + res = FakeResponse(headers, "http://acme.com/") | ||
89 | + cookies = c.make_cookies(res, req) | ||
90 | + c.extract_cookies(res, req) | ||
91 | + self.assertEqual(len(c), 1) | ||
92 | + | ||
93 | + req = Request("http://acme.com/") | ||
94 | + c.add_cookie_header(req) | ||
95 | + self.assertTrue(req.has_header("Cookie")) | ||
96 | + | ||
97 | + req = Request("http://badacme.com/") | ||
98 | + c.add_cookie_header(req) | ||
99 | + self.assertFalse(pol.return_ok(cookies[0], req)) | ||
100 | + self.assertFalse(req.has_header("Cookie")) | ||
101 | + | ||
102 | + p = pol.set_blocked_domains(["acme.com"]) | ||
103 | + req = Request("http://acme.com/") | ||
104 | + c.add_cookie_header(req) | ||
105 | + self.assertFalse(req.has_header("Cookie")) | ||
106 | + | ||
107 | + req = Request("http://badacme.com/") | ||
108 | + c.add_cookie_header(req) | ||
109 | + self.assertFalse(req.has_header("Cookie")) | ||
110 | + | ||
111 | def test_secure(self): | ||
112 | from cookielib import CookieJar, DefaultCookiePolicy | ||
113 | |||
114 | diff --git a/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst | ||
115 | new file mode 100644 | ||
116 | index 000000000000..77251806163b | ||
117 | --- /dev/null | ||
118 | +++ b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst | ||
119 | @@ -0,0 +1,4 @@ | ||
120 | +Don't send cookies of domain A without Domain attribute to domain B when | ||
121 | +domain A is a suffix match of domain B while using a cookiejar with | ||
122 | +:class:`cookielib.DefaultCookiePolicy` policy. Patch by Karthikeyan | ||
123 | +Singaravelan. | ||