diff options
author | Chen Qi <Qi.Chen@windriver.com> | 2019-10-24 12:19:15 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-10-28 05:31:42 +0000 |
commit | 7a7d6ac3eb74fb1fad6d1b90faff111a522a2d37 (patch) | |
tree | 5c7cae50e2c3bb2b7460cfc3fc083d0cf3b46cd0 /meta | |
parent | 423d32dae2e678e2bd57a30f2212331ca21cc968 (diff) | |
download | poky-7a7d6ac3eb74fb1fad6d1b90faff111a522a2d37.tar.gz |
python: fix CVE-2019-16935
(From OE-Core rev: 1a7593bcdaf8a8cf15259aee8a0e2686247f2987)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch | 101 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python_2.7.16.bb | 1 |
2 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch new file mode 100644 index 0000000000..3025cf7bc8 --- /dev/null +++ b/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch | |||
@@ -0,0 +1,101 @@ | |||
1 | From b161c89c8bd66fe928192e21364678c8e9b8fcc0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Dong-hee Na <donghee.na92@gmail.com> | ||
3 | Date: Tue, 1 Oct 2019 19:58:01 +0900 | ||
4 | Subject: [PATCH] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer | ||
5 | (GH-16447) | ||
6 | |||
7 | Escape the server title of DocXMLRPCServer.DocXMLRPCServer | ||
8 | when rendering the document page as HTML. | ||
9 | |||
10 | CVE: CVE-2019-16935 | ||
11 | |||
12 | Upstream-Status: Backport [https://github.com/python/cpython/pull/16447/commits/b41cde823d026f2adc21ef14b1c2e92b1006de06] | ||
13 | |||
14 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
15 | --- | ||
16 | Lib/DocXMLRPCServer.py | 13 +++++++++++- | ||
17 | Lib/test/test_docxmlrpc.py | 20 +++++++++++++++++++ | ||
18 | .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++ | ||
19 | 3 files changed, 35 insertions(+), 1 deletion(-) | ||
20 | create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst | ||
21 | |||
22 | diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py | ||
23 | index 4064ec2e48..90b037dd35 100644 | ||
24 | --- a/Lib/DocXMLRPCServer.py | ||
25 | +++ b/Lib/DocXMLRPCServer.py | ||
26 | @@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXMLRPCServer, | ||
27 | CGIXMLRPCRequestHandler, | ||
28 | resolve_dotted_attribute) | ||
29 | |||
30 | + | ||
31 | +def _html_escape_quote(s): | ||
32 | + s = s.replace("&", "&") # Must be done first! | ||
33 | + s = s.replace("<", "<") | ||
34 | + s = s.replace(">", ">") | ||
35 | + s = s.replace('"', """) | ||
36 | + s = s.replace('\'', "'") | ||
37 | + return s | ||
38 | + | ||
39 | + | ||
40 | class ServerHTMLDoc(pydoc.HTMLDoc): | ||
41 | """Class used to generate pydoc HTML document for a server""" | ||
42 | |||
43 | @@ -210,7 +220,8 @@ class XMLRPCDocGenerator: | ||
44 | methods | ||
45 | ) | ||
46 | |||
47 | - return documenter.page(self.server_title, documentation) | ||
48 | + title = _html_escape_quote(self.server_title) | ||
49 | + return documenter.page(title, documentation) | ||
50 | |||
51 | class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler): | ||
52 | """XML-RPC and documentation request handler class. | ||
53 | diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py | ||
54 | index 4dff4159e2..c45b892b8b 100644 | ||
55 | --- a/Lib/test/test_docxmlrpc.py | ||
56 | +++ b/Lib/test/test_docxmlrpc.py | ||
57 | @@ -1,5 +1,6 @@ | ||
58 | from DocXMLRPCServer import DocXMLRPCServer | ||
59 | import httplib | ||
60 | +import re | ||
61 | import sys | ||
62 | from test import test_support | ||
63 | threading = test_support.import_module('threading') | ||
64 | @@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase): | ||
65 | self.assertIn("""Try self.<strong>add</strong>, too.""", | ||
66 | response.read()) | ||
67 | |||
68 | + def test_server_title_escape(self): | ||
69 | + """Test that the server title and documentation | ||
70 | + are escaped for HTML. | ||
71 | + """ | ||
72 | + self.serv.set_server_title('test_title<script>') | ||
73 | + self.serv.set_server_documentation('test_documentation<script>') | ||
74 | + self.assertEqual('test_title<script>', self.serv.server_title) | ||
75 | + self.assertEqual('test_documentation<script>', | ||
76 | + self.serv.server_documentation) | ||
77 | + | ||
78 | + generated = self.serv.generate_html_documentation() | ||
79 | + title = re.search(r'<title>(.+?)</title>', generated).group() | ||
80 | + documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group() | ||
81 | + self.assertEqual('<title>Python: test_title<script></title>', | ||
82 | + title) | ||
83 | + self.assertEqual('<p><tt>test_documentation<script></tt></p>', | ||
84 | + documentation) | ||
85 | + | ||
86 | + | ||
87 | def test_main(): | ||
88 | test_support.run_unittest(DocXMLRPCHTTPGETServer) | ||
89 | |||
90 | diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst | ||
91 | new file mode 100644 | ||
92 | index 0000000000..8f02baed9e | ||
93 | --- /dev/null | ||
94 | +++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst | ||
95 | @@ -0,0 +1,3 @@ | ||
96 | +Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer` | ||
97 | +when rendering the document page as HTML. | ||
98 | +(Contributed by Dong-hee Na in :issue:`38243`.) | ||
99 | -- | ||
100 | 2.17.1 | ||
101 | |||
diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.16.bb index ebb4824cc1..625c5312a6 100644 --- a/meta/recipes-devtools/python/python_2.7.16.bb +++ b/meta/recipes-devtools/python/python_2.7.16.bb | |||
@@ -32,6 +32,7 @@ SRC_URI += " \ | |||
32 | file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \ | 32 | file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \ |
33 | file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \ | 33 | file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \ |
34 | file://bpo-36742-cve-2019-10160.patch \ | 34 | file://bpo-36742-cve-2019-10160.patch \ |
35 | file://0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch \ | ||
35 | " | 36 | " |
36 | 37 | ||
37 | S = "${WORKDIR}/Python-${PV}" | 38 | S = "${WORKDIR}/Python-${PV}" |