python: fix CVE-2016-1000110

Backport patch to fix CVE-2016-1000110 from python upstream: for python2.7 https://hg.python.org/cpython/rev/ba915d561667/ for python3 https://hg.python.org/cpython/rev/a0ac52ed8f79 (From OE-Core rev: 1dd22b9d35983f35c481a1fcf67425aa0fd07a5b) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Mingli Yu <Mingli.Yu@windriver.com> 2016-09-26 13:54:34 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-09-28 10:16:03 +0100
commit: fd4391d8ba1da590dbf618599a7f72d16e253c4a (patch)
tree: f0d0d7a6acecb19de587acb04aaa943f96b81570 /meta
parent: b5a00339d921510fe8cae68ba625ffa1558e2a7c (diff)
download: poky-fd4391d8ba1da590dbf618599a7f72d16e253c4a.tar.gz
4 files changed, 312 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/python-fix-CVE-2016-1000110.patch b/meta/recipes-devtools/python/python/python-fix-CVE-2016-1000110.patch
new file mode 100644
index 0000000000..97888e2b08
--- /dev/null
+++ b/meta/recipes-devtools/python/python/python-fix-CVE-2016-1000110.patch
@@ -0,0 +1,162 @@
+From cb25fbd5abc0f4eb07dbb8ea819e9c26bda4fc99 Mon Sep 17 00:00:00 2001
+From: Senthil Kumaran <senthil@uthcode.com>
+Date: Sat, 30 Jul 2016 05:49:53 -0700
+Subject: [PATCH] python: fix CVE-2016-1000110
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Prevent HTTPoxy attack (CVE-2016-1000110)
+Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
+indicates that the script is in CGI mode.
+Issue reported and patch contributed by Rémi Rampin.
+Backport patch from https://hg.python.org/cpython/rev/ba915d561667/
+Upstream-Status: Backport
+CVE: CVE-2016-1000110
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+---
+ Doc/howto/urllib2.rst   |  5 +++++
+ Doc/library/urllib.rst  | 10 ++++++++++
+ Doc/library/urllib2.rst |  5 +++++
+ Lib/test/test_urllib.py | 12 ++++++++++++
+ Lib/urllib.py           |  9 +++++++++
+ Misc/ACKS               |  1 +
+ Misc/NEWS               |  4 ++++
+ 7 files changed, 46 insertions(+)
+diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
+index 6bb06d4..5cf2c0c 100644
+--- a/Doc/howto/urllib2.rst
+++ b/Doc/howto/urllib2.rst
+@@ -525,6 +525,11 @@ setting up a `Basic Authentication`_ handler: ::
+     through a proxy.  However, this can be enabled by extending urllib2 as
+     shown in the recipe [#]_.
+ 
+.. note::
+
+    ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
+    the documentation on :func:`~urllib.getproxies`.
+
+ 
+ Sockets and Layers
+ ==================
+diff --git a/Doc/library/urllib.rst b/Doc/library/urllib.rst
+index 3b5dc16..bddcba9 100644
+--- a/Doc/library/urllib.rst
+++ b/Doc/library/urllib.rst
+@@ -295,6 +295,16 @@ Utility functions
+    If both lowercase and uppercase environment variables exist (and disagree),
+    lowercase is preferred.
+ 
+    .. note::
+
+        If the environment variable ``REQUEST_METHOD`` is set, which usually
+        indicates your script is running in a CGI environment, the environment
+        variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
+        because that variable can be injected by a client using the "Proxy:"
+        HTTP header. If you need to use an HTTP proxy in a CGI environment,
+        either use ``ProxyHandler`` explicitly, or make sure the variable name
+        is in lowercase (or at least the ``_proxy`` suffix).
+
+ .. note::
+     urllib also exposes certain utility functions like splittype, splithost and
+     others parsing URL into various components. But it is recommended to use
+diff --git a/Doc/library/urllib2.rst b/Doc/library/urllib2.rst
+index 8a4c80e..b808b98 100644
+--- a/Doc/library/urllib2.rst
+++ b/Doc/library/urllib2.rst
+@@ -229,6 +229,11 @@ The following classes are provided:
+ 
+    To disable autodetected proxy pass an empty dictionary.
+ 
+    .. note::
+
+       ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
+       see the documentation on :func:`~urllib.getproxies`.
+
+ 
+ .. class:: HTTPPasswordMgr()
+ 
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index 434d533..27a1d38 100644
+--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
+@@ -170,6 +170,18 @@ class ProxyTests(unittest.TestCase):
+         self.assertTrue(urllib.proxy_bypass_environment('anotherdomain.com:8888'))
+         self.assertTrue(urllib.proxy_bypass_environment('newdomain.com:1234'))
+ 
+    def test_proxy_cgi_ignore(self):
+        try:
+            self.env.set('HTTP_PROXY', 'http://somewhere:3128')
+            proxies = urllib.getproxies_environment()
+            self.assertEqual('http://somewhere:3128', proxies['http'])
+            self.env.set('REQUEST_METHOD', 'GET')
+            proxies = urllib.getproxies_environment()
+            self.assertNotIn('http', proxies)
+        finally:
+            self.env.unset('REQUEST_METHOD')
+            self.env.unset('HTTP_PROXY')
+
+     def test_proxy_bypass_environment_host_match(self):
+         bypass = urllib.proxy_bypass_environment
+         self.env.set('NO_PROXY',
+diff --git a/Lib/urllib.py b/Lib/urllib.py
+index 139fab9..c3ba2c9 100644
+--- a/Lib/urllib.py
+++ b/Lib/urllib.py
+@@ -1380,12 +1380,21 @@ def getproxies_environment():
+     If you need a different way, you can pass a proxies dictionary to the
+     [Fancy]URLopener constructor.
+     """
+    # Get all variables
+     proxies = {}
+     for name, value in os.environ.items():
+         name = name.lower()
+         if value and name[-6:] == '_proxy':
+             proxies[name[:-6]] = value
+ 
+    # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
+    # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
+    # header from the client
+    # If "proxy" is lowercase, it will still be used thanks to the next block
+    if 'REQUEST_METHOD' in os.environ:
+        proxies.pop('http', None)
+
+    # Get lowercase variables
+     for name, value in os.environ.items():
+         if name[-6:] == '_proxy':
+             name = name.lower()
+diff --git a/Misc/ACKS b/Misc/ACKS
+index ee3a465..9c374b7 100644
+--- a/Misc/ACKS
+++ b/Misc/ACKS
+@@ -1121,6 +1121,7 @@ Burton Radons
+ Jeff Ramnani
+ Varpu Rantala
+ Brodie Rao
+Rémi Rampin
+ Senko Rasic
+ Antti Rasinen
+ Nikolaus Rath
+diff --git a/Misc/NEWS b/Misc/NEWS
+index 4ab3a70..cc2f65b 100644
+--- a/Misc/NEWS
+++ b/Misc/NEWS
+@@ -187,6 +187,10 @@ Library
+ - Issue #26644: Raise ValueError rather than SystemError when a negative
+   length is passed to SSLSocket.recv() or read().
+ 
+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
+  HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
+  that the script is in CGI mode.
+
+ - Issue #23804: Fix SSL recv(0) and read(0) methods to return zero bytes
+   instead of up to 1024.
+ 
+-- 
+2.8.1
diff --git a/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch b/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch
new file mode 100644
index 0000000000..ab1b7230ea
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch
@@ -0,0 +1,148 @@
+From aab3e8c432b90508ac14755128f5a687be2fdf43 Mon Sep 17 00:00:00 2001
+From: Mingli Yu <Mingli.Yu@windriver.com>
+Date: Thu, 22 Sep 2016 16:39:49 +0800
+Subject: [PATCH] python3: fix CVE-2016-1000110
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
+indicates that the script is in CGI mode.
+Issue #27568 Reported and patch contributed by Rémi Rampin. [#27568]
+Backport patch from https://hg.python.org/cpython/rev/a0ac52ed8f79
+Upstream-Status: Backport
+CVE: CVE-2016-1000110
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+---
+ Doc/howto/urllib2.rst          |  5 +++++
+ Doc/library/urllib.request.rst | 17 ++++++++++++++++-
+ Lib/test/test_urllib.py        | 14 +++++++++++++-
+ Lib/urllib/request.py          |  6 ++++++
+ Misc/NEWS                      |  4 ++++
+ 5 files changed, 44 insertions(+), 2 deletions(-)
+diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
+index 24a4156..d2c7991 100644
+--- a/Doc/howto/urllib2.rst
+++ b/Doc/howto/urllib2.rst
+@@ -538,6 +538,11 @@ setting up a `Basic Authentication`_ handler: ::
+     through a proxy.  However, this can be enabled by extending urllib.request as
+     shown in the recipe [#]_.
+ 
+.. note::
+
+    ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
+    the documentation on :func:`~urllib.request.getproxies`.
+
+ 
+ Sockets and Layers
+ ==================
+diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
+index 1338906..1291aeb 100644
+--- a/Doc/library/urllib.request.rst
+++ b/Doc/library/urllib.request.rst
+@@ -173,6 +173,16 @@ The :mod:`urllib.request` module defines the following functions:
+    If both lowercase and uppercase environment variables exist (and disagree),
+    lowercase is preferred.
+ 
+    .. note::
+
+       If the environment variable ``REQUEST_METHOD`` is set, which usually
+       indicates your script is running in a CGI environment, the environment
+       variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
+       because that variable can be injected by a client using the "Proxy:" HTTP
+       header. If you need to use an HTTP proxy in a CGI environment, either use
+       ``ProxyHandler`` explicitly, or make sure the variable name is in
+       lowercase (or at least the ``_proxy`` suffix).
+
+ 
+ The following classes are provided:
+ 
+@@ -280,6 +290,11 @@ The following classes are provided:
+    list of hostname suffixes, optionally with ``:port`` appended, for example
+    ``cern.ch,ncsa.uiuc.edu,some.host:8080``.
+ 
+    .. note::
+
+       ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
+       see the documentation on :func:`~urllib.request.getproxies`.
+
+ 
+ .. class:: HTTPPasswordMgr()
+ 
+@@ -1138,7 +1153,7 @@ the returned bytes object to string once it determines or guesses
+ the appropriate encoding.
+ 
+ The following W3C document, https://www.w3.org/International/O-charset\ , lists
+-the various ways in which a (X)HTML or a XML document could have specified its
+the various ways in which an (X)HTML or an XML document could have specified its
+ encoding information.
+ 
+ As the python.org website uses *utf-8* encoding as specified in its meta tag, we
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index 5d05f8d..247598a 100644
+--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
+@@ -1,4 +1,4 @@
+-"""Regresssion tests for what was in Python 2's "urllib" module"""
+"""Regression tests for what was in Python 2's "urllib" module"""
+ 
+ import urllib.parse
+ import urllib.request
+@@ -232,6 +232,18 @@ class ProxyTests(unittest.TestCase):
+         self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com:8888'))
+         self.assertTrue(urllib.request.proxy_bypass_environment('newdomain.com:1234'))
+ 
+    def test_proxy_cgi_ignore(self):
+        try:
+            self.env.set('HTTP_PROXY', 'http://somewhere:3128')
+            proxies = urllib.request.getproxies_environment()
+            self.assertEqual('http://somewhere:3128', proxies['http'])
+            self.env.set('REQUEST_METHOD', 'GET')
+            proxies = urllib.request.getproxies_environment()
+            self.assertNotIn('http', proxies)
+        finally:
+            self.env.unset('REQUEST_METHOD')
+            self.env.unset('HTTP_PROXY')
+
+     def test_proxy_bypass_environment_host_match(self):
+         bypass = urllib.request.proxy_bypass_environment
+         self.env.set('NO_PROXY',
+diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
+index 1731fe3..3be327d 100644
+--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
+@@ -2412,6 +2412,12 @@ def getproxies_environment():
+         name = name.lower()
+         if value and name[-6:] == '_proxy':
+             proxies[name[:-6]] = value
+    # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
+    # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
+    # header from the client
+    # If "proxy" is lowercase, it will still be used thanks to the next block
+    if 'REQUEST_METHOD' in os.environ:
+        proxies.pop('http', None)
+     for name, value in os.environ.items():
+         if name[-6:] == '_proxy':
+             name = name.lower()
+diff --git a/Misc/NEWS b/Misc/NEWS
+index 4ad2551..2fcc95b 100644
+--- a/Misc/NEWS
+++ b/Misc/NEWS
+@@ -329,6 +329,10 @@ Library
+ - Issue #26644: Raise ValueError rather than SystemError when a negative
+   length is passed to SSLSocket.recv() or read().
+ 
+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
+  HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
+  that the script is in CGI mode.
+
+ - Issue #23804: Fix SSL recv(0) and read(0) methods to return zero bytes
+   instead of up to 1024.
+ 
+-- 
+2.8.1
diff --git a/meta/recipes-devtools/python/python3_3.5.2.bb b/meta/recipes-devtools/python/python3_3.5.2.bb
index 456147d39e..e6cbb9c56d 100644
--- a/meta/recipes-devtools/python/python3_3.5.2.bb
+++ b/meta/recipes-devtools/python/python3_3.5.2.bb
@@ -36,6 +36,7 @@ SRC_URI += "\
            file://setup.py-check-cross_compiling-when-get-FLAGS.patch \
            file://setup.py-find-libraries-in-staging-dirs.patch \
            file://configure.ac-fix-LIBPL.patch \
+            file://python3-fix-CVE-2016-1000110.patch \
           "
 SRC_URI[md5sum] = "8906efbacfcdc7c3c9198aeefafd159e"
 SRC_URI[sha256sum] = "0010f56100b9b74259ebcd5d4b295a32324b58b517403a10d1a2aa7cb22bca40"
diff --git a/meta/recipes-devtools/python/python_2.7.12.bb b/meta/recipes-devtools/python/python_2.7.12.bb
index 65b571719b..9fe35db2de 100644
--- a/meta/recipes-devtools/python/python_2.7.12.bb
+++ b/meta/recipes-devtools/python/python_2.7.12.bb
@@ -26,6 +26,7 @@ SRC_URI += "\
  file://parallel-makeinst-create-bindir.patch \
  file://use_sysroot_ncurses_instead_of_host.patch \
  file://add-CROSSPYTHONPATH-for-PYTHON_FOR_BUILD.patch \
+  file://python-fix-CVE-2016-1000110.patch \
 "
 S = "${WORKDIR}/Python-${PV}"
author	Mingli Yu <Mingli.Yu@windriver.com>	2016-09-26 13:54:34 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-09-28 10:16:03 +0100
commit	fd4391d8ba1da590dbf618599a7f72d16e253c4a (patch)
tree	f0d0d7a6acecb19de587acb04aaa943f96b81570 /meta
parent	b5a00339d921510fe8cae68ba625ffa1558e2a7c (diff)
download	poky-fd4391d8ba1da590dbf618599a7f72d16e253c4a.tar.gz

diff --git a/meta/recipes-devtools/python/python/python-fix-CVE-2016-1000110.patch b/meta/recipes-devtools/python/python/python-fix-CVE-2016-1000110.patch new file mode 100644 index 0000000000..97888e2b08 --- /dev/null +++ b/meta/recipes-devtools/python/python/python-fix-CVE-2016-1000110.patch
@@ -0,0 +1,162 @@
		1	From cb25fbd5abc0f4eb07dbb8ea819e9c26bda4fc99 Mon Sep 17 00:00:00 2001
		2	From: Senthil Kumaran <senthil@uthcode.com>
		3	Date: Sat, 30 Jul 2016 05:49:53 -0700
		4	Subject: [PATCH] python: fix CVE-2016-1000110
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Prevent HTTPoxy attack (CVE-2016-1000110)
		10
		11	Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
		12	indicates that the script is in CGI mode.
		13
		14	Issue reported and patch contributed by Rémi Rampin.
		15
		16	Backport patch from https://hg.python.org/cpython/rev/ba915d561667/
		17
		18	Upstream-Status: Backport
		19	CVE: CVE-2016-1000110
		20	Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
		21	---
		22	Doc/howto/urllib2.rst \| 5 +++++
		23	Doc/library/urllib.rst \| 10 ++++++++++
		24	Doc/library/urllib2.rst \| 5 +++++
		25	Lib/test/test_urllib.py \| 12 ++++++++++++
		26	Lib/urllib.py \| 9 +++++++++
		27	Misc/ACKS \| 1 +
		28	Misc/NEWS \| 4 ++++
		29	7 files changed, 46 insertions(+)
		30
		31	diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
		32	index 6bb06d4..5cf2c0c 100644
		33	--- a/Doc/howto/urllib2.rst
		34	+++ b/Doc/howto/urllib2.rst
		35	@@ -525,6 +525,11 @@ setting up a `Basic Authentication`_ handler: ::
		36	through a proxy. However, this can be enabled by extending urllib2 as
		37	shown in the recipe [#]_.
		38
		39	+.. note::
		40	+
		41	+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
		42	+ the documentation on :func:`~urllib.getproxies`.
		43	+
		44
		45	Sockets and Layers
		46	==================
		47	diff --git a/Doc/library/urllib.rst b/Doc/library/urllib.rst
		48	index 3b5dc16..bddcba9 100644
		49	--- a/Doc/library/urllib.rst
		50	+++ b/Doc/library/urllib.rst
		51	@@ -295,6 +295,16 @@ Utility functions
		52	If both lowercase and uppercase environment variables exist (and disagree),
		53	lowercase is preferred.
		54
		55	+ .. note::
		56	+
		57	+ If the environment variable ``REQUEST_METHOD`` is set, which usually
		58	+ indicates your script is running in a CGI environment, the environment
		59	+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
		60	+ because that variable can be injected by a client using the "Proxy:"
		61	+ HTTP header. If you need to use an HTTP proxy in a CGI environment,
		62	+ either use ``ProxyHandler`` explicitly, or make sure the variable name
		63	+ is in lowercase (or at least the ``_proxy`` suffix).
		64	+
		65	.. note::
		66	urllib also exposes certain utility functions like splittype, splithost and
		67	others parsing URL into various components. But it is recommended to use
		68	diff --git a/Doc/library/urllib2.rst b/Doc/library/urllib2.rst
		69	index 8a4c80e..b808b98 100644
		70	--- a/Doc/library/urllib2.rst
		71	+++ b/Doc/library/urllib2.rst
		72	@@ -229,6 +229,11 @@ The following classes are provided:
		73
		74	To disable autodetected proxy pass an empty dictionary.
		75
		76	+ .. note::
		77	+
		78	+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
		79	+ see the documentation on :func:`~urllib.getproxies`.
		80	+
		81
		82	.. class:: HTTPPasswordMgr()
		83
		84	diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
		85	index 434d533..27a1d38 100644
		86	--- a/Lib/test/test_urllib.py
		87	+++ b/Lib/test/test_urllib.py
		88	@@ -170,6 +170,18 @@ class ProxyTests(unittest.TestCase):
		89	self.assertTrue(urllib.proxy_bypass_environment('anotherdomain.com:8888'))
		90	self.assertTrue(urllib.proxy_bypass_environment('newdomain.com:1234'))
		91
		92	+ def test_proxy_cgi_ignore(self):
		93	+ try:
		94	+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
		95	+ proxies = urllib.getproxies_environment()
		96	+ self.assertEqual('http://somewhere:3128', proxies['http'])
		97	+ self.env.set('REQUEST_METHOD', 'GET')
		98	+ proxies = urllib.getproxies_environment()
		99	+ self.assertNotIn('http', proxies)
		100	+ finally:
		101	+ self.env.unset('REQUEST_METHOD')
		102	+ self.env.unset('HTTP_PROXY')
		103	+
		104	def test_proxy_bypass_environment_host_match(self):
		105	bypass = urllib.proxy_bypass_environment
		106	self.env.set('NO_PROXY',
		107	diff --git a/Lib/urllib.py b/Lib/urllib.py
		108	index 139fab9..c3ba2c9 100644
		109	--- a/Lib/urllib.py
		110	+++ b/Lib/urllib.py
		111	@@ -1380,12 +1380,21 @@ def getproxies_environment():
		112	If you need a different way, you can pass a proxies dictionary to the
		113	[Fancy]URLopener constructor.
		114	"""
		115	+ # Get all variables
		116	proxies = {}
		117	for name, value in os.environ.items():
		118	name = name.lower()
		119	if value and name[-6:] == '_proxy':
		120	proxies[name[:-6]] = value
		121
		122	+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
		123	+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
		124	+ # header from the client
		125	+ # If "proxy" is lowercase, it will still be used thanks to the next block
		126	+ if 'REQUEST_METHOD' in os.environ:
		127	+ proxies.pop('http', None)
		128	+
		129	+ # Get lowercase variables
		130	for name, value in os.environ.items():
		131	if name[-6:] == '_proxy':
		132	name = name.lower()
		133	diff --git a/Misc/ACKS b/Misc/ACKS
		134	index ee3a465..9c374b7 100644
		135	--- a/Misc/ACKS
		136	+++ b/Misc/ACKS
		137	@@ -1121,6 +1121,7 @@ Burton Radons
		138	Jeff Ramnani
		139	Varpu Rantala
		140	Brodie Rao
		141	+Rémi Rampin
		142	Senko Rasic
		143	Antti Rasinen
		144	Nikolaus Rath
		145	diff --git a/Misc/NEWS b/Misc/NEWS
		146	index 4ab3a70..cc2f65b 100644
		147	--- a/Misc/NEWS
		148	+++ b/Misc/NEWS
		149	@@ -187,6 +187,10 @@ Library
		150	- Issue #26644: Raise ValueError rather than SystemError when a negative
		151	length is passed to SSLSocket.recv() or read().
		152
		153	+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
		154	+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
		155	+ that the script is in CGI mode.
		156	+
		157	- Issue #23804: Fix SSL recv(0) and read(0) methods to return zero bytes
		158	instead of up to 1024.
		159
		160	--
		161	2.8.1
		162


diff --git a/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch b/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch new file mode 100644 index 0000000000..ab1b7230ea --- /dev/null +++ b/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch
@@ -0,0 +1,148 @@
		1	From aab3e8c432b90508ac14755128f5a687be2fdf43 Mon Sep 17 00:00:00 2001
		2	From: Mingli Yu <Mingli.Yu@windriver.com>
		3	Date: Thu, 22 Sep 2016 16:39:49 +0800
		4	Subject: [PATCH] python3: fix CVE-2016-1000110
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
		10	indicates that the script is in CGI mode.
		11
		12	Issue #27568 Reported and patch contributed by Rémi Rampin. [#27568]
		13
		14	Backport patch from https://hg.python.org/cpython/rev/a0ac52ed8f79
		15
		16	Upstream-Status: Backport
		17	CVE: CVE-2016-1000110
		18	Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
		19	---
		20	Doc/howto/urllib2.rst \| 5 +++++
		21	Doc/library/urllib.request.rst \| 17 ++++++++++++++++-
		22	Lib/test/test_urllib.py \| 14 +++++++++++++-
		23	Lib/urllib/request.py \| 6 ++++++
		24	Misc/NEWS \| 4 ++++
		25	5 files changed, 44 insertions(+), 2 deletions(-)
		26
		27	diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
		28	index 24a4156..d2c7991 100644
		29	--- a/Doc/howto/urllib2.rst
		30	+++ b/Doc/howto/urllib2.rst
		31	@@ -538,6 +538,11 @@ setting up a `Basic Authentication`_ handler: ::
		32	through a proxy. However, this can be enabled by extending urllib.request as
		33	shown in the recipe [#]_.
		34
		35	+.. note::
		36	+
		37	+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
		38	+ the documentation on :func:`~urllib.request.getproxies`.
		39	+
		40
		41	Sockets and Layers
		42	==================
		43	diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
		44	index 1338906..1291aeb 100644
		45	--- a/Doc/library/urllib.request.rst
		46	+++ b/Doc/library/urllib.request.rst
		47	@@ -173,6 +173,16 @@ The :mod:`urllib.request` module defines the following functions:
		48	If both lowercase and uppercase environment variables exist (and disagree),
		49	lowercase is preferred.
		50
		51	+ .. note::
		52	+
		53	+ If the environment variable ``REQUEST_METHOD`` is set, which usually
		54	+ indicates your script is running in a CGI environment, the environment
		55	+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
		56	+ because that variable can be injected by a client using the "Proxy:" HTTP
		57	+ header. If you need to use an HTTP proxy in a CGI environment, either use
		58	+ ``ProxyHandler`` explicitly, or make sure the variable name is in
		59	+ lowercase (or at least the ``_proxy`` suffix).
		60	+
		61
		62	The following classes are provided:
		63
		64	@@ -280,6 +290,11 @@ The following classes are provided:
		65	list of hostname suffixes, optionally with ``:port`` appended, for example
		66	``cern.ch,ncsa.uiuc.edu,some.host:8080``.
		67
		68	+ .. note::
		69	+
		70	+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
		71	+ see the documentation on :func:`~urllib.request.getproxies`.
		72	+
		73
		74	.. class:: HTTPPasswordMgr()
		75
		76	@@ -1138,7 +1153,7 @@ the returned bytes object to string once it determines or guesses
		77	the appropriate encoding.
		78
		79	The following W3C document, https://www.w3.org/International/O-charset\ , lists
		80	-the various ways in which a (X)HTML or a XML document could have specified its
		81	+the various ways in which an (X)HTML or an XML document could have specified its
		82	encoding information.
		83
		84	As the python.org website uses utf-8 encoding as specified in its meta tag, we
		85	diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
		86	index 5d05f8d..247598a 100644
		87	--- a/Lib/test/test_urllib.py
		88	+++ b/Lib/test/test_urllib.py
		89	@@ -1,4 +1,4 @@
		90	-"""Regresssion tests for what was in Python 2's "urllib" module"""
		91	+"""Regression tests for what was in Python 2's "urllib" module"""
		92
		93	import urllib.parse
		94	import urllib.request
		95	@@ -232,6 +232,18 @@ class ProxyTests(unittest.TestCase):
		96	self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com:8888'))
		97	self.assertTrue(urllib.request.proxy_bypass_environment('newdomain.com:1234'))
		98
		99	+ def test_proxy_cgi_ignore(self):
		100	+ try:
		101	+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
		102	+ proxies = urllib.request.getproxies_environment()
		103	+ self.assertEqual('http://somewhere:3128', proxies['http'])
		104	+ self.env.set('REQUEST_METHOD', 'GET')
		105	+ proxies = urllib.request.getproxies_environment()
		106	+ self.assertNotIn('http', proxies)
		107	+ finally:
		108	+ self.env.unset('REQUEST_METHOD')
		109	+ self.env.unset('HTTP_PROXY')
		110	+
		111	def test_proxy_bypass_environment_host_match(self):
		112	bypass = urllib.request.proxy_bypass_environment
		113	self.env.set('NO_PROXY',
		114	diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
		115	index 1731fe3..3be327d 100644
		116	--- a/Lib/urllib/request.py
		117	+++ b/Lib/urllib/request.py
		118	@@ -2412,6 +2412,12 @@ def getproxies_environment():
		119	name = name.lower()
		120	if value and name[-6:] == '_proxy':
		121	proxies[name[:-6]] = value
		122	+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
		123	+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
		124	+ # header from the client
		125	+ # If "proxy" is lowercase, it will still be used thanks to the next block
		126	+ if 'REQUEST_METHOD' in os.environ:
		127	+ proxies.pop('http', None)
		128	for name, value in os.environ.items():
		129	if name[-6:] == '_proxy':
		130	name = name.lower()
		131	diff --git a/Misc/NEWS b/Misc/NEWS
		132	index 4ad2551..2fcc95b 100644
		133	--- a/Misc/NEWS
		134	+++ b/Misc/NEWS
		135	@@ -329,6 +329,10 @@ Library
		136	- Issue #26644: Raise ValueError rather than SystemError when a negative
		137	length is passed to SSLSocket.recv() or read().
		138
		139	+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
		140	+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
		141	+ that the script is in CGI mode.
		142	+
		143	- Issue #23804: Fix SSL recv(0) and read(0) methods to return zero bytes
		144	instead of up to 1024.
		145
		146	--
		147	2.8.1
		148


diff --git a/meta/recipes-devtools/python/python3_3.5.2.bb b/meta/recipes-devtools/python/python3_3.5.2.bb index 456147d39e..e6cbb9c56d 100644 --- a/meta/recipes-devtools/python/python3_3.5.2.bb +++ b/meta/recipes-devtools/python/python3_3.5.2.bb
@@ -36,6 +36,7 @@ SRC_URI += "\
36	file://setup.py-check-cross_compiling-when-get-FLAGS.patch \	36	file://setup.py-check-cross_compiling-when-get-FLAGS.patch \
37	file://setup.py-find-libraries-in-staging-dirs.patch \	37	file://setup.py-find-libraries-in-staging-dirs.patch \
38	file://configure.ac-fix-LIBPL.patch \	38	file://configure.ac-fix-LIBPL.patch \
		39	file://python3-fix-CVE-2016-1000110.patch \
39	"	40	"
40	SRC_URI[md5sum] = "8906efbacfcdc7c3c9198aeefafd159e"	41	SRC_URI[md5sum] = "8906efbacfcdc7c3c9198aeefafd159e"
41	SRC_URI[sha256sum] = "0010f56100b9b74259ebcd5d4b295a32324b58b517403a10d1a2aa7cb22bca40"	42	SRC_URI[sha256sum] = "0010f56100b9b74259ebcd5d4b295a32324b58b517403a10d1a2aa7cb22bca40"


diff --git a/meta/recipes-devtools/python/python_2.7.12.bb b/meta/recipes-devtools/python/python_2.7.12.bb index 65b571719b..9fe35db2de 100644 --- a/meta/recipes-devtools/python/python_2.7.12.bb +++ b/meta/recipes-devtools/python/python_2.7.12.bb
@@ -26,6 +26,7 @@ SRC_URI += "\
26	file://parallel-makeinst-create-bindir.patch \	26	file://parallel-makeinst-create-bindir.patch \
27	file://use_sysroot_ncurses_instead_of_host.patch \	27	file://use_sysroot_ncurses_instead_of_host.patch \
28	file://add-CROSSPYTHONPATH-for-PYTHON_FOR_BUILD.patch \	28	file://add-CROSSPYTHONPATH-for-PYTHON_FOR_BUILD.patch \
		29	file://python-fix-CVE-2016-1000110.patch \
29	"	30	"
30		31
31	S = "${WORKDIR}/Python-${PV}"	32	S = "${WORKDIR}/Python-${PV}"