python3: upgrade 3.8.2 -> 3.8.3

(From OE-Core rev: 01dafe1796a5c91ce12b344ee09e7179f6b4ccac) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Alexander Kanavin <alex.kanavin@gmail.com> 2020-05-31 17:52:00 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-06-04 13:27:29 +0100
commit: 2d294c11275a1a4b5b0147d5c3e42759046a4e7d (patch)
tree: 66b66d5b59ce34e32d5ec9fa47480a41425aa3bf /meta/recipes-devtools/python
parent: 6a88c7698af9c5e10391cd85ed90197292219baf (diff)
download: poky-2d294c11275a1a4b5b0147d5c3e42759046a4e7d.tar.gz
5 files changed, 7 insertions, 258 deletions
diff --git a/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch b/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
deleted file mode 100644
index e16b99bcb9..0000000000
--- a/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
+++ /dev/null
@@ -1,248 +0,0 @@
-From 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 Mon Sep 17 00:00:00 2001
-From: Victor Stinner <vstinner@python.org>
-Date: Thu, 2 Apr 2020 02:52:20 +0200
-Subject: [PATCH] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler
- (GH-18284)
-Upstream-Status: Backport
-(https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
-CVE: CVE-2020-8492
-The AbstractBasicAuthHandler class of the urllib.request module uses
-an inefficient regular expression which can be exploited by an
-attacker to cause a denial of service. Fix the regex to prevent the
-catastrophic backtracking. Vulnerability reported by Ben Caller
-and Matt Schwager.
-AbstractBasicAuthHandler of urllib.request now parses all
-WWW-Authenticate HTTP headers and accepts multiple challenges per
-header: use the realm of the first Basic challenge.
-Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
-Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
---
- Lib/test/test_urllib2.py                      | 90 ++++++++++++-------
- Lib/urllib/request.py                         | 69 ++++++++++----
- .../2020-03-25-16-02-16.bpo-39503.YmMbYn.rst  |  3 +
- .../2020-01-30-16-15-29.bpo-39503.B299Yq.rst  |  5 ++
- 4 files changed, 115 insertions(+), 52 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
- create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
-diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
-index 8abedaac98..e69ac3e213 100644
--- a/Lib/test/test_urllib2.py
-+++ b/Lib/test/test_urllib2.py
-@@ -1446,40 +1446,64 @@ class HandlerTests(unittest.TestCase):
-         bypass = {'exclude_simple': True, 'exceptions': []}
-         self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass))
- 
-    def test_basic_auth(self, quote_char='"'):
-        opener = OpenerDirector()
-        password_manager = MockPasswordManager()
-        auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
-        realm = "ACME Widget Store"
-        http_handler = MockHTTPHandler(
-            401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' %
-            (quote_char, realm, quote_char))
-        opener.add_handler(auth_handler)
-        opener.add_handler(http_handler)
-        self._test_basic_auth(opener, auth_handler, "Authorization",
-                              realm, http_handler, password_manager,
-                              "http://acme.example.com/protected",
-                              "http://acme.example.com/protected",
-                              )
-
-    def test_basic_auth_with_single_quoted_realm(self):
-        self.test_basic_auth(quote_char="'")
-
-    def test_basic_auth_with_unquoted_realm(self):
-        opener = OpenerDirector()
-        password_manager = MockPasswordManager()
-        auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
-        realm = "ACME Widget Store"
-        http_handler = MockHTTPHandler(
-            401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm)
-        opener.add_handler(auth_handler)
-        opener.add_handler(http_handler)
-        with self.assertWarns(UserWarning):
-+    def check_basic_auth(self, headers, realm):
-+        with self.subTest(realm=realm, headers=headers):
-+            opener = OpenerDirector()
-+            password_manager = MockPasswordManager()
-+            auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
-+            body = '\r\n'.join(headers) + '\r\n\r\n'
-+            http_handler = MockHTTPHandler(401, body)
-+            opener.add_handler(auth_handler)
-+            opener.add_handler(http_handler)
-             self._test_basic_auth(opener, auth_handler, "Authorization",
-                                realm, http_handler, password_manager,
-                                "http://acme.example.com/protected",
-                                "http://acme.example.com/protected",
-                                )
-+                                  realm, http_handler, password_manager,
-+                                  "http://acme.example.com/protected",
-+                                  "http://acme.example.com/protected")
-+
-+    def test_basic_auth(self):
-+        realm = "realm2@example.com"
-+        realm2 = "realm2@example.com"
-+        basic = f'Basic realm="{realm}"'
-+        basic2 = f'Basic realm="{realm2}"'
-+        other_no_realm = 'Otherscheme xxx'
-+        digest = (f'Digest realm="{realm2}", '
-+                  f'qop="auth, auth-int", '
-+                  f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", '
-+                  f'opaque="5ccc069c403ebaf9f0171e9517f40e41"')
-+        for realm_str in (
-+            # test "quote" and 'quote'
-+            f'Basic realm="{realm}"',
-+            f"Basic realm='{realm}'",
-+
-+            # charset is ignored
-+            f'Basic realm="{realm}", charset="UTF-8"',
-+
-+            # Multiple challenges per header
-+            f'{basic}, {basic2}',
-+            f'{basic}, {other_no_realm}',
-+            f'{other_no_realm}, {basic}',
-+            f'{basic}, {digest}',
-+            f'{digest}, {basic}',
-+        ):
-+            headers = [f'WWW-Authenticate: {realm_str}']
-+            self.check_basic_auth(headers, realm)
-+
-+        # no quote: expect a warning
-+        with support.check_warnings(("Basic Auth Realm was unquoted",
-+                                     UserWarning)):
-+            headers = [f'WWW-Authenticate: Basic realm={realm}']
-+            self.check_basic_auth(headers, realm)
-+
-+        # Multiple headers: one challenge per header.
-+        # Use the first Basic realm.
-+        for challenges in (
-+            [basic,  basic2],
-+            [basic,  digest],
-+            [digest, basic],
-+        ):
-+            headers = [f'WWW-Authenticate: {challenge}'
-+                       for challenge in challenges]
-+            self.check_basic_auth(headers, realm)
- 
-     def test_proxy_basic_auth(self):
-         opener = OpenerDirector()
-diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
-index 7fe50535da..2a3d71554f 100644
--- a/Lib/urllib/request.py
-+++ b/Lib/urllib/request.py
-@@ -937,8 +937,15 @@ class AbstractBasicAuthHandler:
- 
-     # allow for double- and single-quoted realm values
-     # (single quotes are a violation of the RFC, but appear in the wild)
-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
-                    'realm=(["\']?)([^"\']*)\\2', re.I)
-+    rx = re.compile('(?:^|,)'   # start of the string or ','
-+                    '[ \t]*'    # optional whitespaces
-+                    '([^ \t]+)' # scheme like "Basic"
-+                    '[ \t]+'    # mandatory whitespaces
-+                    # realm=xxx
-+                    # realm='xxx'
-+                    # realm="xxx"
-+                    'realm=(["\']?)([^"\']*)\\2',
-+                    re.I)
- 
-     # XXX could pre-emptively send auth info already accepted (RFC 2617,
-     # end of section 2, and section 1.2 immediately after "credentials"
-@@ -950,27 +957,51 @@ class AbstractBasicAuthHandler:
-         self.passwd = password_mgr
-         self.add_password = self.passwd.add_password
- 
-+    def _parse_realm(self, header):
-+        # parse WWW-Authenticate header: accept multiple challenges per header
-+        found_challenge = False
-+        for mo in AbstractBasicAuthHandler.rx.finditer(header):
-+            scheme, quote, realm = mo.groups()
-+            if quote not in ['"', "'"]:
-+                warnings.warn("Basic Auth Realm was unquoted",
-+                              UserWarning, 3)
-+
-+            yield (scheme, realm)
-+
-+            found_challenge = True
-+
-+        if not found_challenge:
-+            if header:
-+                scheme = header.split()[0]
-+            else:
-+                scheme = ''
-+            yield (scheme, None)
-+
-     def http_error_auth_reqed(self, authreq, host, req, headers):
-         # host may be an authority (without userinfo) or a URL with an
-         # authority
-        # XXX could be multiple headers
-        authreq = headers.get(authreq, None)
-+        headers = headers.get_all(authreq)
-+        if not headers:
-+            # no header found
-+            return
- 
-        if authreq:
-            scheme = authreq.split()[0]
-            if scheme.lower() != 'basic':
-                raise ValueError("AbstractBasicAuthHandler does not"
-                                 " support the following scheme: '%s'" %
-                                 scheme)
-            else:
-                mo = AbstractBasicAuthHandler.rx.search(authreq)
-                if mo:
-                    scheme, quote, realm = mo.groups()
-                    if quote not in ['"',"'"]:
-                        warnings.warn("Basic Auth Realm was unquoted",
-                                      UserWarning, 2)
-                    if scheme.lower() == 'basic':
-                        return self.retry_http_basic_auth(host, req, realm)
-+        unsupported = None
-+        for header in headers:
-+            for scheme, realm in self._parse_realm(header):
-+                if scheme.lower() != 'basic':
-+                    unsupported = scheme
-+                    continue
-+
-+                if realm is not None:
-+                    # Use the first matching Basic challenge.
-+                    # Ignore following challenges even if they use the Basic
-+                    # scheme.
-+                    return self.retry_http_basic_auth(host, req, realm)
-+
-+        if unsupported is not None:
-+            raise ValueError("AbstractBasicAuthHandler does not "
-+                             "support the following scheme: %r"
-+                             % (scheme,))
- 
-     def retry_http_basic_auth(self, host, req, realm):
-         user, pw = self.passwd.find_user_password(realm, host)
-diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
-new file mode 100644
-index 0000000000..be80ce79d9
--- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
-@@ -0,0 +1,3 @@
-+:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request`
-+now parses all WWW-Authenticate HTTP headers and accepts multiple challenges
-+per header: use the realm of the first Basic challenge.
-diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
-new file mode 100644
-index 0000000000..9f2800581c
--- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
-@@ -0,0 +1,5 @@
-+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
-+:mod:`urllib.request` module uses an inefficient regular expression which can
-+be exploited by an attacker to cause a denial of service. Fix the regex to
-+prevent the catastrophic backtracking. Vulnerability reported by Ben Caller
-+and Matt Schwager.
-- 
-2.24.1
diff --git a/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch b/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch
index acf8e1e9b5..3e471b9a49 100644
--- a/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch
+++ b/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch
@@ -1,16 +1,17 @@
-From 85e8f86ad2b7dec0848cd55b8e810a5e2722b20a Mon Sep 17 00:00:00 2001
+From b880e78bf4a1852e260188e6df3ec6034403d2fc Mon Sep 17 00:00:00 2001
 From: Jeremy Puhlman <jpuhlman@mvista.com>
 Date: Wed, 4 Mar 2020 00:06:42 +0000
 Subject: [PATCH] Don't search system for headers/libraries
 Upstream-Status: Inappropriate [oe-core specific]
 Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
 ---
 setup.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/setup.py b/setup.py
-index 9da1b3a..59782c0 100644
+index 7208cd0..c0bd0ad 100644
 --- a/setup.py
 +++ b/setup.py
 @@ -674,8 +674,8 @@ class PyBuildExt(build_ext):
@@ -24,6 +25,3 @@ index 9da1b3a..59782c0 100644
         # lib_dirs and inc_dirs are used to search for files;
         # if a file is found in one of those directories, it can
         # be assumed that no additional -I,-L directives are needed.
-- 
-2.24.1
diff --git a/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch b/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch
index e7af3c6f5c..2b68c0acc2 100644
--- a/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch
+++ b/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch
@@ -1,4 +1,4 @@
-From 7ada9c749f6beb51c13a3debc850755e911548a6 Mon Sep 17 00:00:00 2001
+From bc59d49efff41051034d7fbf5d0c8505e4c3134b Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Thu, 31 Jan 2019 16:46:30 +0100
 Subject: [PATCH] distutils/sysconfig: append
diff --git a/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch b/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch
index 61ac3e71dc..820fb98ed8 100644
--- a/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch
+++ b/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch
@@ -1,4 +1,4 @@
-From 251347fc970a397a9cd63ed3f87c5e6c52e15187 Mon Sep 17 00:00:00 2001
+From 064187668fcbefdd39a8cde372bf651124c3e578 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Tue, 14 May 2013 15:00:26 -0700
 Subject: [PATCH] python3: Add target and native recipes
diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.3.bb
index 0474f07214..4367923b55 100644
--- a/meta/recipes-devtools/python/python3_3.8.2.bb
+++ b/meta/recipes-devtools/python/python3_3.8.3.bb
@@ -32,7 +32,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
           file://0001-configure.ac-fix-LIBPL.patch \
           file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \
           file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
-           file://0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch \
           "
 SRC_URI_append_class-native = " \
@@ -41,8 +40,8 @@ SRC_URI_append_class-native = " \
           file://0001-Don-t-search-system-for-headers-libraries.patch \
           "
-SRC_URI[md5sum] = "e9d6ebc92183a177b8e8a58cad5b8d67"
+SRC_URI[md5sum] = "3000cf50aaa413052aef82fd2122ca78"
-SRC_URI[sha256sum] = "2646e7dc233362f59714c6193017bb2d6f7b38d6ab4a0cb5fbac5c36c4d845df"
+SRC_URI[sha256sum] = "dfab5ec723c218082fe3d5d7ae17ecbdebffa9a1aea4d64aa3a2ecdd2e795864"
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
author	Alexander Kanavin <alex.kanavin@gmail.com>	2020-05-31 17:52:00 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-06-04 13:27:29 +0100
commit	2d294c11275a1a4b5b0147d5c3e42759046a4e7d (patch)
tree	66b66d5b59ce34e32d5ec9fa47480a41425aa3bf /meta/recipes-devtools/python
parent	6a88c7698af9c5e10391cd85ed90197292219baf (diff)
download	poky-2d294c11275a1a4b5b0147d5c3e42759046a4e7d.tar.gz

diff --git a/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch b/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch deleted file mode 100644 index e16b99bcb9..0000000000 --- a/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch +++ /dev/null
@@ -1,248 +0,0 @@
1	From 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 Mon Sep 17 00:00:00 2001
2	From: Victor Stinner <vstinner@python.org>
3	Date: Thu, 2 Apr 2020 02:52:20 +0200
4	Subject: [PATCH] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler
5	(GH-18284)
6
7	Upstream-Status: Backport
8	(https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
9
10	CVE: CVE-2020-8492
11
12	The AbstractBasicAuthHandler class of the urllib.request module uses
13	an inefficient regular expression which can be exploited by an
14	attacker to cause a denial of service. Fix the regex to prevent the
15	catastrophic backtracking. Vulnerability reported by Ben Caller
16	and Matt Schwager.
17
18	AbstractBasicAuthHandler of urllib.request now parses all
19	WWW-Authenticate HTTP headers and accepts multiple challenges per
20	header: use the realm of the first Basic challenge.
21
22	Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
23	Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
24	---
25	Lib/test/test_urllib2.py \| 90 ++++++++++++-------
26	Lib/urllib/request.py \| 69 ++++++++++----
27	.../2020-03-25-16-02-16.bpo-39503.YmMbYn.rst \| 3 +
28	.../2020-01-30-16-15-29.bpo-39503.B299Yq.rst \| 5 ++
29	4 files changed, 115 insertions(+), 52 deletions(-)
30	create mode 100644 Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
31	create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
32
33	diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
34	index 8abedaac98..e69ac3e213 100644
35	--- a/Lib/test/test_urllib2.py
36	+++ b/Lib/test/test_urllib2.py
37	@@ -1446,40 +1446,64 @@ class HandlerTests(unittest.TestCase):
38	bypass = {'exclude_simple': True, 'exceptions': []}
39	self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass))
40
41	- def test_basic_auth(self, quote_char='"'):
42	- opener = OpenerDirector()
43	- password_manager = MockPasswordManager()
44	- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
45	- realm = "ACME Widget Store"
46	- http_handler = MockHTTPHandler(
47	- 401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' %
48	- (quote_char, realm, quote_char))
49	- opener.add_handler(auth_handler)
50	- opener.add_handler(http_handler)
51	- self._test_basic_auth(opener, auth_handler, "Authorization",
52	- realm, http_handler, password_manager,
53	- "http://acme.example.com/protected",
54	- "http://acme.example.com/protected",
55	- )
56	-
57	- def test_basic_auth_with_single_quoted_realm(self):
58	- self.test_basic_auth(quote_char="'")
59	-
60	- def test_basic_auth_with_unquoted_realm(self):
61	- opener = OpenerDirector()
62	- password_manager = MockPasswordManager()
63	- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
64	- realm = "ACME Widget Store"
65	- http_handler = MockHTTPHandler(
66	- 401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm)
67	- opener.add_handler(auth_handler)
68	- opener.add_handler(http_handler)
69	- with self.assertWarns(UserWarning):
70	+ def check_basic_auth(self, headers, realm):
71	+ with self.subTest(realm=realm, headers=headers):
72	+ opener = OpenerDirector()
73	+ password_manager = MockPasswordManager()
74	+ auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
75	+ body = '\r\n'.join(headers) + '\r\n\r\n'
76	+ http_handler = MockHTTPHandler(401, body)
77	+ opener.add_handler(auth_handler)
78	+ opener.add_handler(http_handler)
79	self._test_basic_auth(opener, auth_handler, "Authorization",
80	- realm, http_handler, password_manager,
81	- "http://acme.example.com/protected",
82	- "http://acme.example.com/protected",
83	- )
84	+ realm, http_handler, password_manager,
85	+ "http://acme.example.com/protected",
86	+ "http://acme.example.com/protected")
87	+
88	+ def test_basic_auth(self):
89	+ realm = "realm2@example.com"
90	+ realm2 = "realm2@example.com"
91	+ basic = f'Basic realm="{realm}"'
92	+ basic2 = f'Basic realm="{realm2}"'
93	+ other_no_realm = 'Otherscheme xxx'
94	+ digest = (f'Digest realm="{realm2}", '
95	+ f'qop="auth, auth-int", '
96	+ f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", '
97	+ f'opaque="5ccc069c403ebaf9f0171e9517f40e41"')
98	+ for realm_str in (
99	+ # test "quote" and 'quote'
100	+ f'Basic realm="{realm}"',
101	+ f"Basic realm='{realm}'",
102	+
103	+ # charset is ignored
104	+ f'Basic realm="{realm}", charset="UTF-8"',
105	+
106	+ # Multiple challenges per header
107	+ f'{basic}, {basic2}',
108	+ f'{basic}, {other_no_realm}',
109	+ f'{other_no_realm}, {basic}',
110	+ f'{basic}, {digest}',
111	+ f'{digest}, {basic}',
112	+ ):
113	+ headers = [f'WWW-Authenticate: {realm_str}']
114	+ self.check_basic_auth(headers, realm)
115	+
116	+ # no quote: expect a warning
117	+ with support.check_warnings(("Basic Auth Realm was unquoted",
118	+ UserWarning)):
119	+ headers = [f'WWW-Authenticate: Basic realm={realm}']
120	+ self.check_basic_auth(headers, realm)
121	+
122	+ # Multiple headers: one challenge per header.
123	+ # Use the first Basic realm.
124	+ for challenges in (
125	+ [basic, basic2],
126	+ [basic, digest],
127	+ [digest, basic],
128	+ ):
129	+ headers = [f'WWW-Authenticate: {challenge}'
130	+ for challenge in challenges]
131	+ self.check_basic_auth(headers, realm)
132
133	def test_proxy_basic_auth(self):
134	opener = OpenerDirector()
135	diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
136	index 7fe50535da..2a3d71554f 100644
137	--- a/Lib/urllib/request.py
138	+++ b/Lib/urllib/request.py
139	@@ -937,8 +937,15 @@ class AbstractBasicAuthHandler:
140
141	# allow for double- and single-quoted realm values
142	# (single quotes are a violation of the RFC, but appear in the wild)
143	- rx = re.compile('(?:.,)[ \t]*([^ \t]+)[ \t]+'
144	- 'realm=(["\']?)([^"\']*)\\2', re.I)
145	+ rx = re.compile('(?:^\|,)' # start of the string or ','
146	+ '[ \t]*' # optional whitespaces
147	+ '([^ \t]+)' # scheme like "Basic"
148	+ '[ \t]+' # mandatory whitespaces
149	+ # realm=xxx
150	+ # realm='xxx'
151	+ # realm="xxx"
152	+ 'realm=(["\']?)([^"\']*)\\2',
153	+ re.I)
154
155	# XXX could pre-emptively send auth info already accepted (RFC 2617,
156	# end of section 2, and section 1.2 immediately after "credentials"
157	@@ -950,27 +957,51 @@ class AbstractBasicAuthHandler:
158	self.passwd = password_mgr
159	self.add_password = self.passwd.add_password
160
161	+ def _parse_realm(self, header):
162	+ # parse WWW-Authenticate header: accept multiple challenges per header
163	+ found_challenge = False
164	+ for mo in AbstractBasicAuthHandler.rx.finditer(header):
165	+ scheme, quote, realm = mo.groups()
166	+ if quote not in ['"', "'"]:
167	+ warnings.warn("Basic Auth Realm was unquoted",
168	+ UserWarning, 3)
169	+
170	+ yield (scheme, realm)
171	+
172	+ found_challenge = True
173	+
174	+ if not found_challenge:
175	+ if header:
176	+ scheme = header.split()[0]
177	+ else:
178	+ scheme = ''
179	+ yield (scheme, None)
180	+
181	def http_error_auth_reqed(self, authreq, host, req, headers):
182	# host may be an authority (without userinfo) or a URL with an
183	# authority
184	- # XXX could be multiple headers
185	- authreq = headers.get(authreq, None)
186	+ headers = headers.get_all(authreq)
187	+ if not headers:
188	+ # no header found
189	+ return
190
191	- if authreq:
192	- scheme = authreq.split()[0]
193	- if scheme.lower() != 'basic':
194	- raise ValueError("AbstractBasicAuthHandler does not"
195	- " support the following scheme: '%s'" %
196	- scheme)
197	- else:
198	- mo = AbstractBasicAuthHandler.rx.search(authreq)
199	- if mo:
200	- scheme, quote, realm = mo.groups()
201	- if quote not in ['"',"'"]:
202	- warnings.warn("Basic Auth Realm was unquoted",
203	- UserWarning, 2)
204	- if scheme.lower() == 'basic':
205	- return self.retry_http_basic_auth(host, req, realm)
206	+ unsupported = None
207	+ for header in headers:
208	+ for scheme, realm in self._parse_realm(header):
209	+ if scheme.lower() != 'basic':
210	+ unsupported = scheme
211	+ continue
212	+
213	+ if realm is not None:
214	+ # Use the first matching Basic challenge.
215	+ # Ignore following challenges even if they use the Basic
216	+ # scheme.
217	+ return self.retry_http_basic_auth(host, req, realm)
218	+
219	+ if unsupported is not None:
220	+ raise ValueError("AbstractBasicAuthHandler does not "
221	+ "support the following scheme: %r"
222	+ % (scheme,))
223
224	def retry_http_basic_auth(self, host, req, realm):
225	user, pw = self.passwd.find_user_password(realm, host)
226	diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
227	new file mode 100644
228	index 0000000000..be80ce79d9
229	--- /dev/null
230	+++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
231	@@ -0,0 +1,3 @@
232	+:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request`
233	+now parses all WWW-Authenticate HTTP headers and accepts multiple challenges
234	+per header: use the realm of the first Basic challenge.
235	diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
236	new file mode 100644
237	index 0000000000..9f2800581c
238	--- /dev/null
239	+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
240	@@ -0,0 +1,5 @@
241	+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
242	+:mod:`urllib.request` module uses an inefficient regular expression which can
243	+be exploited by an attacker to cause a denial of service. Fix the regex to
244	+prevent the catastrophic backtracking. Vulnerability reported by Ben Caller
245	+and Matt Schwager.
246	--
247	2.24.1
248


diff --git a/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch b/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch index acf8e1e9b5..3e471b9a49 100644 --- a/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch +++ b/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch
@@ -1,16 +1,17 @@
1	From 85e8f86ad2b7dec0848cd55b8e810a5e2722b20a Mon Sep 17 00:00:00 2001	1	From b880e78bf4a1852e260188e6df3ec6034403d2fc Mon Sep 17 00:00:00 2001
2	From: Jeremy Puhlman <jpuhlman@mvista.com>	2	From: Jeremy Puhlman <jpuhlman@mvista.com>
3	Date: Wed, 4 Mar 2020 00:06:42 +0000	3	Date: Wed, 4 Mar 2020 00:06:42 +0000
4	Subject: [PATCH] Don't search system for headers/libraries	4	Subject: [PATCH] Don't search system for headers/libraries
5		5
6	Upstream-Status: Inappropriate [oe-core specific]	6	Upstream-Status: Inappropriate [oe-core specific]
7	Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>	7	Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
		8
8	---	9	---
9	setup.py \| 4 ++--	10	setup.py \| 4 ++--
10	1 file changed, 2 insertions(+), 2 deletions(-)	11	1 file changed, 2 insertions(+), 2 deletions(-)
11		12
12	diff --git a/setup.py b/setup.py	13	diff --git a/setup.py b/setup.py
13	index 9da1b3a..59782c0 100644	14	index 7208cd0..c0bd0ad 100644
14	--- a/setup.py	15	--- a/setup.py
15	+++ b/setup.py	16	+++ b/setup.py
16	@@ -674,8 +674,8 @@ class PyBuildExt(build_ext):	17	@@ -674,8 +674,8 @@ class PyBuildExt(build_ext):
@@ -24,6 +25,3 @@ index 9da1b3a..59782c0 100644
24	# lib_dirs and inc_dirs are used to search for files;	25	# lib_dirs and inc_dirs are used to search for files;
25	# if a file is found in one of those directories, it can	26	# if a file is found in one of those directories, it can
26	# be assumed that no additional -I,-L directives are needed.	27	# be assumed that no additional -I,-L directives are needed.
27	--
28	2.24.1
29


diff --git a/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch b/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch index e7af3c6f5c..2b68c0acc2 100644 --- a/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch +++ b/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch
@@ -1,4 +1,4 @@
1	From 7ada9c749f6beb51c13a3debc850755e911548a6 Mon Sep 17 00:00:00 2001	1	From bc59d49efff41051034d7fbf5d0c8505e4c3134b Mon Sep 17 00:00:00 2001
2	From: Alexander Kanavin <alex.kanavin@gmail.com>	2	From: Alexander Kanavin <alex.kanavin@gmail.com>
3	Date: Thu, 31 Jan 2019 16:46:30 +0100	3	Date: Thu, 31 Jan 2019 16:46:30 +0100
4	Subject: [PATCH] distutils/sysconfig: append	4	Subject: [PATCH] distutils/sysconfig: append


diff --git a/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch b/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch index 61ac3e71dc..820fb98ed8 100644 --- a/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch +++ b/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch
@@ -1,4 +1,4 @@
1	From 251347fc970a397a9cd63ed3f87c5e6c52e15187 Mon Sep 17 00:00:00 2001	1	From 064187668fcbefdd39a8cde372bf651124c3e578 Mon Sep 17 00:00:00 2001
2	From: Khem Raj <raj.khem@gmail.com>	2	From: Khem Raj <raj.khem@gmail.com>
3	Date: Tue, 14 May 2013 15:00:26 -0700	3	Date: Tue, 14 May 2013 15:00:26 -0700
4	Subject: [PATCH] python3: Add target and native recipes	4	Subject: [PATCH] python3: Add target and native recipes


diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.3.bb index 0474f07214..4367923b55 100644 --- a/meta/recipes-devtools/python/python3_3.8.2.bb +++ b/meta/recipes-devtools/python/python3_3.8.3.bb
@@ -32,7 +32,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
32	file://0001-configure.ac-fix-LIBPL.patch \	32	file://0001-configure.ac-fix-LIBPL.patch \
33	file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \	33	file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \
34	file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \	34	file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
35	file://0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch \
36	"	35	"
37		36
38	SRC_URI_append_class-native = " \	37	SRC_URI_append_class-native = " \
@@ -41,8 +40,8 @@ SRC_URI_append_class-native = " \
41	file://0001-Don-t-search-system-for-headers-libraries.patch \	40	file://0001-Don-t-search-system-for-headers-libraries.patch \
42	"	41	"
43		42
44	SRC_URI[md5sum] = "e9d6ebc92183a177b8e8a58cad5b8d67"	43	SRC_URI[md5sum] = "3000cf50aaa413052aef82fd2122ca78"
45	SRC_URI[sha256sum] = "2646e7dc233362f59714c6193017bb2d6f7b38d6ab4a0cb5fbac5c36c4d845df"	44	SRC_URI[sha256sum] = "dfab5ec723c218082fe3d5d7ae17ecbdebffa9a1aea4d64aa3a2ecdd2e795864"
46		45
47	# exclude pre-releases for both python 2.x and 3.x	46	# exclude pre-releases for both python 2.x and 3.x
48	UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"	47	UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"