summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2019-07-31 12:54:54 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-07-31 23:03:01 +0100
commita6854bc41bcdadce50a5c1aec8baa9ab52567030 (patch)
tree0a30e8019c95d3540b02e72e079bef8ad65d4ba3 /meta/recipes-devtools
parentda6a60239853300466cee05d9fa9ab30ea223e33 (diff)
downloadpoky-a6854bc41bcdadce50a5c1aec8baa9ab52567030.tar.gz
python: fix CVE-2018-20852
(From OE-Core rev: 04fc80b2c77a177601584500f0f3048d80095ad7) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r--meta/recipes-devtools/python/python.inc1
-rw-r--r--meta/recipes-devtools/python/python/CVE-2018-20852.patch123
2 files changed, 124 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 8d0e90862c..70481002bb 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -13,6 +13,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
13 file://bpo-36216-cve-2019-9636.patch \ 13 file://bpo-36216-cve-2019-9636.patch \
14 file://bpo-36216-cve-2019-9636-fix.patch \ 14 file://bpo-36216-cve-2019-9636-fix.patch \
15 file://CVE-2019-9740.patch \ 15 file://CVE-2019-9740.patch \
16 file://CVE-2018-20852.patch \
16 " 17 "
17 18
18SRC_URI[md5sum] = "30157d85a2c0479c09ea2cbe61f2aaf5" 19SRC_URI[md5sum] = "30157d85a2c0479c09ea2cbe61f2aaf5"
diff --git a/meta/recipes-devtools/python/python/CVE-2018-20852.patch b/meta/recipes-devtools/python/python/CVE-2018-20852.patch
new file mode 100644
index 0000000000..23c784a210
--- /dev/null
+++ b/meta/recipes-devtools/python/python/CVE-2018-20852.patch
@@ -0,0 +1,123 @@
1From 979daae300916adb399ab5b51410b6ebd0888f13 Mon Sep 17 00:00:00 2001
2From: Xtreak <tir.karthi@gmail.com>
3Date: Sat, 15 Jun 2019 20:59:43 +0530
4Subject: [PATCH] [2.7] bpo-35121: prefix dot in domain for proper subdomain
5 validation (GH-10258) (GH-13426)
6
7This is a manual backport of ca7fe5063593958e5efdf90f068582837f07bd14 since 2.7 has `http.cookiejar` in `cookielib`
8
9
10https://bugs.python.org/issue35121
11CVE: CVE-2018-20852
12Upstream-Status: Backport [https://github.com/python/cpython/pull/13426]
13Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
14---
15 Lib/cookielib.py | 13 ++++++--
16 Lib/test/test_cookielib.py | 30 +++++++++++++++++++
17 .../2019-05-20-00-35-12.bpo-35121.RRi-HU.rst | 4 +++
18 3 files changed, 45 insertions(+), 2 deletions(-)
19 create mode 100644 Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
20
21diff --git a/Lib/cookielib.py b/Lib/cookielib.py
22index 2dd7c48728e0..0b471a42f296 100644
23--- a/Lib/cookielib.py
24+++ b/Lib/cookielib.py
25@@ -1139,6 +1139,11 @@ def return_ok_domain(self, cookie, request):
26 req_host, erhn = eff_request_host(request)
27 domain = cookie.domain
28
29+ if domain and not domain.startswith("."):
30+ dotdomain = "." + domain
31+ else:
32+ dotdomain = domain
33+
34 # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
35 if (cookie.version == 0 and
36 (self.strict_ns_domain & self.DomainStrictNonDomain) and
37@@ -1151,7 +1156,7 @@ def return_ok_domain(self, cookie, request):
38 _debug(" effective request-host name %s does not domain-match "
39 "RFC 2965 cookie domain %s", erhn, domain)
40 return False
41- if cookie.version == 0 and not ("."+erhn).endswith(domain):
42+ if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
43 _debug(" request-host %s does not match Netscape cookie domain "
44 "%s", req_host, domain)
45 return False
46@@ -1165,7 +1170,11 @@ def domain_return_ok(self, domain, request):
47 req_host = "."+req_host
48 if not erhn.startswith("."):
49 erhn = "."+erhn
50- if not (req_host.endswith(domain) or erhn.endswith(domain)):
51+ if domain and not domain.startswith("."):
52+ dotdomain = "." + domain
53+ else:
54+ dotdomain = domain
55+ if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
56 #_debug(" request domain %s does not match cookie domain %s",
57 # req_host, domain)
58 return False
59diff --git a/Lib/test/test_cookielib.py b/Lib/test/test_cookielib.py
60index f2dd9727d137..7f7ff614d61d 100644
61--- a/Lib/test/test_cookielib.py
62+++ b/Lib/test/test_cookielib.py
63@@ -368,6 +368,7 @@ def test_domain_return_ok(self):
64 ("http://foo.bar.com/", ".foo.bar.com", True),
65 ("http://foo.bar.com/", "foo.bar.com", True),
66 ("http://foo.bar.com/", ".bar.com", True),
67+ ("http://foo.bar.com/", "bar.com", True),
68 ("http://foo.bar.com/", "com", True),
69 ("http://foo.com/", "rhubarb.foo.com", False),
70 ("http://foo.com/", ".foo.com", True),
71@@ -378,6 +379,8 @@ def test_domain_return_ok(self):
72 ("http://foo/", "foo", True),
73 ("http://foo/", "foo.local", True),
74 ("http://foo/", ".local", True),
75+ ("http://barfoo.com", ".foo.com", False),
76+ ("http://barfoo.com", "foo.com", False),
77 ]:
78 request = urllib2.Request(url)
79 r = pol.domain_return_ok(domain, request)
80@@ -938,6 +941,33 @@ def test_domain_block(self):
81 c.add_cookie_header(req)
82 self.assertFalse(req.has_header("Cookie"))
83
84+ c.clear()
85+
86+ pol.set_blocked_domains([])
87+ req = Request("http://acme.com/")
88+ res = FakeResponse(headers, "http://acme.com/")
89+ cookies = c.make_cookies(res, req)
90+ c.extract_cookies(res, req)
91+ self.assertEqual(len(c), 1)
92+
93+ req = Request("http://acme.com/")
94+ c.add_cookie_header(req)
95+ self.assertTrue(req.has_header("Cookie"))
96+
97+ req = Request("http://badacme.com/")
98+ c.add_cookie_header(req)
99+ self.assertFalse(pol.return_ok(cookies[0], req))
100+ self.assertFalse(req.has_header("Cookie"))
101+
102+ p = pol.set_blocked_domains(["acme.com"])
103+ req = Request("http://acme.com/")
104+ c.add_cookie_header(req)
105+ self.assertFalse(req.has_header("Cookie"))
106+
107+ req = Request("http://badacme.com/")
108+ c.add_cookie_header(req)
109+ self.assertFalse(req.has_header("Cookie"))
110+
111 def test_secure(self):
112 from cookielib import CookieJar, DefaultCookiePolicy
113
114diff --git a/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
115new file mode 100644
116index 000000000000..77251806163b
117--- /dev/null
118+++ b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
119@@ -0,0 +1,4 @@
120+Don't send cookies of domain A without Domain attribute to domain B when
121+domain A is a suffix match of domain B while using a cookiejar with
122+:class:`cookielib.DefaultCookiePolicy` policy. Patch by Karthikeyan
123+Singaravelan.