summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorNitin A Kamble <nitin.a.kamble@intel.com>2011-07-19 15:42:48 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2011-07-22 11:51:05 +0100
commit9d4f709a454bb66729a629f6a9dfe3d04e068971 (patch)
tree958a132cca71b4e9a9af695c1c6d5b98abba66a1 /meta
parenta70c1f6f78a8c349dcee284d82eaec876ebc4086 (diff)
downloadpoky-9d4f709a454bb66729a629f6a9dfe3d04e068971.tar.gz
python: fix security vulnerability
This Fixes bug: [Yocto #1254] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1015 Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are now collapsed within the url properly before looking in cgi_directories. (From OE-Core rev: 43e7ec07065e58128819b0bb359358ce42628672) Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/python/python.inc2
-rw-r--r--meta/recipes-devtools/python/python/security_issue_2254_fix.patch184
-rw-r--r--meta/recipes-devtools/python/python_2.6.6.bb1
3 files changed, 186 insertions, 1 deletions
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 25a458ef13..a6cc91789c 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.python.org"
3LICENSE = "PSF" 3LICENSE = "PSF"
4SECTION = "devel/python" 4SECTION = "devel/python"
5# bump this on every change in contrib/python/generate-manifest-2.6.py 5# bump this on every change in contrib/python/generate-manifest-2.6.py
6INC_PR = "nk2" 6INC_PR = "r2"
7 7
8DEFAULT_PREFERENCE = "-26" 8DEFAULT_PREFERENCE = "-26"
9 9
diff --git a/meta/recipes-devtools/python/python/security_issue_2254_fix.patch b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
new file mode 100644
index 0000000000..f0328585d5
--- /dev/null
+++ b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
@@ -0,0 +1,184 @@
1Upstream-Status: Backport
2http://svn.python.org/view?view=revision&revision=71303
3
4Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are
5 now collapsed within the url properly before looking in cgi_directories.
6Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com>
72011/07/19
8
9Index: Python-2.6.6/Lib/CGIHTTPServer.py
10===================================================================
11--- Python-2.6.6.orig/Lib/CGIHTTPServer.py
12+++ Python-2.6.6/Lib/CGIHTTPServer.py
13@@ -70,27 +70,20 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
14 return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
15
16 def is_cgi(self):
17- """Test whether self.path corresponds to a CGI script,
18- and return a boolean.
19+ """Test whether self.path corresponds to a CGI script.
20
21- This function sets self.cgi_info to a tuple (dir, rest)
22- when it returns True, where dir is the directory part before
23- the CGI script name. Note that rest begins with a
24- slash if it is not empty.
25-
26- The default implementation tests whether the path
27- begins with one of the strings in the list
28- self.cgi_directories (and the next character is a '/'
29- or the end of the string).
30+ Returns True and updates the cgi_info attribute to the tuple
31+ (dir, rest) if self.path requires running a CGI script.
32+ Returns False otherwise.
33+
34+ The default implementation tests whether the normalized url
35+ path begins with one of the strings in self.cgi_directories
36+ (and the next character is a '/' or the end of the string).
37 """
38-
39- path = self.path
40-
41- for x in self.cgi_directories:
42- i = len(x)
43- if path[:i] == x and (not path[i:] or path[i] == '/'):
44- self.cgi_info = path[:i], path[i+1:]
45- return True
46+ splitpath = _url_collapse_path_split(self.path)
47+ if splitpath[0] in self.cgi_directories:
48+ self.cgi_info = splitpath
49+ return True
50 return False
51
52 cgi_directories = ['/cgi-bin', '/htbin']
53@@ -299,6 +292,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
54 self.log_message("CGI script exited OK")
55
56
57+# TODO(gregory.p.smith): Move this into an appropriate library.
58+def _url_collapse_path_split(path):
59+ """
60+ Given a URL path, remove extra '/'s and '.' path elements and collapse
61+ any '..' references.
62+
63+ Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
64+
65+ Returns: A tuple of (head, tail) where tail is everything after the final /
66+ and head is everything before it. Head will always start with a '/' and,
67+ if it contains anything else, never have a trailing '/'.
68+
69+ Raises: IndexError if too many '..' occur within the path.
70+ """
71+ # Similar to os.path.split(os.path.normpath(path)) but specific to URL
72+ # path semantics rather than local operating system semantics.
73+ path_parts = []
74+ for part in path.split('/'):
75+ if part == '.':
76+ path_parts.append('')
77+ else:
78+ path_parts.append(part)
79+ # Filter out blank non trailing parts before consuming the '..'.
80+ path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
81+ if path_parts:
82+ tail_part = path_parts.pop()
83+ else:
84+ tail_part = ''
85+ head_parts = []
86+ for part in path_parts:
87+ if part == '..':
88+ head_parts.pop()
89+ else:
90+ head_parts.append(part)
91+ if tail_part and tail_part == '..':
92+ head_parts.pop()
93+ tail_part = ''
94+ return ('/' + '/'.join(head_parts), tail_part)
95+
96+
97 nobody = None
98
99 def nobody_uid():
100Index: Python-2.6.6/Lib/test/test_httpservers.py
101===================================================================
102--- Python-2.6.6.orig/Lib/test/test_httpservers.py
103+++ Python-2.6.6/Lib/test/test_httpservers.py
104@@ -7,6 +7,7 @@ Josip Dzolonga, and Michael Otteneder fo
105 from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
106 from SimpleHTTPServer import SimpleHTTPRequestHandler
107 from CGIHTTPServer import CGIHTTPRequestHandler
108+import CGIHTTPServer
109
110 import os
111 import sys
112@@ -324,6 +325,45 @@ class CGIHTTPServerTestCase(BaseTestCase
113 finally:
114 BaseTestCase.tearDown(self)
115
116+ def test_url_collapse_path_split(self):
117+ test_vectors = {
118+ '': ('/', ''),
119+ '..': IndexError,
120+ '/.//..': IndexError,
121+ '/': ('/', ''),
122+ '//': ('/', ''),
123+ '/\\': ('/', '\\'),
124+ '/.//': ('/', ''),
125+ 'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
126+ '/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
127+ 'a': ('/', 'a'),
128+ '/a': ('/', 'a'),
129+ '//a': ('/', 'a'),
130+ './a': ('/', 'a'),
131+ './C:/': ('/C:', ''),
132+ '/a/b': ('/a', 'b'),
133+ '/a/b/': ('/a/b', ''),
134+ '/a/b/c/..': ('/a/b', ''),
135+ '/a/b/c/../d': ('/a/b', 'd'),
136+ '/a/b/c/../d/e/../f': ('/a/b/d', 'f'),
137+ '/a/b/c/../d/e/../../f': ('/a/b', 'f'),
138+ '/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'),
139+ '../a/b/c/../d/e/.././././..//f': IndexError,
140+ '/a/b/c/../d/e/../../../f': ('/a', 'f'),
141+ '/a/b/c/../d/e/../../../../f': ('/', 'f'),
142+ '/a/b/c/../d/e/../../../../../f': IndexError,
143+ '/a/b/c/../d/e/../../../../f/..': ('/', ''),
144+ }
145+ for path, expected in test_vectors.iteritems():
146+ if isinstance(expected, type) and issubclass(expected, Exception):
147+ self.assertRaises(expected,
148+ CGIHTTPServer._url_collapse_path_split, path)
149+ else:
150+ actual = CGIHTTPServer._url_collapse_path_split(path)
151+ self.assertEquals(expected, actual,
152+ msg='path = %r\nGot: %r\nWanted: %r' % (
153+ path, actual, expected))
154+
155 def test_headers_and_content(self):
156 res = self.request('/cgi-bin/file1.py')
157 self.assertEquals(('Hello World\n', 'text/html', 200), \
158@@ -348,6 +388,12 @@ class CGIHTTPServerTestCase(BaseTestCase
159 self.assertEquals(('Hello World\n', 'text/html', 200), \
160 (res.read(), res.getheader('Content-type'), res.status))
161
162+ def test_no_leading_slash(self):
163+ # http://bugs.python.org/issue2254
164+ res = self.request('cgi-bin/file1.py')
165+ self.assertEquals(('Hello World\n', 'text/html', 200),
166+ (res.read(), res.getheader('Content-type'), res.status))
167+
168
169 def test_main(verbose=None):
170 cwd = os.getcwd()
171Index: Python-2.6.6/Misc/NEWS
172===================================================================
173--- Python-2.6.6.orig/Misc/NEWS
174+++ Python-2.6.6/Misc/NEWS
175@@ -137,6 +137,9 @@ C-API
176 Library
177 -------
178
179+- Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are
180+ now collapsed within the url properly before looking in cgi_directories.
181+
182 - Issue #8447: Make distutils.sysconfig follow symlinks in the path to
183 the interpreter executable. This fixes a failure of test_httpservers
184 on OS X.
diff --git a/meta/recipes-devtools/python/python_2.6.6.bb b/meta/recipes-devtools/python/python_2.6.6.bb
index 598fea8143..f71440a592 100644
--- a/meta/recipes-devtools/python/python_2.6.6.bb
+++ b/meta/recipes-devtools/python/python_2.6.6.bb
@@ -19,6 +19,7 @@ SRC_URI = "\
19 file://99-ignore-optimization-flag.patch \ 19 file://99-ignore-optimization-flag.patch \
20 ${DISTRO_SRC_URI} \ 20 ${DISTRO_SRC_URI} \
21 file://multilib.patch \ 21 file://multilib.patch \
22 file://security_issue_2254_fix.patch \
22" 23"
23 24
24SRC_URI[md5sum] = "cf4e6881bb84a7ce6089e4a307f71f14" 25SRC_URI[md5sum] = "cf4e6881bb84a7ce6089e4a307f71f14"