summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/python/python/CVE-2016-1000110.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/python/python/CVE-2016-1000110.patch')
-rw-r--r--meta/recipes-devtools/python/python/CVE-2016-1000110.patch132
1 files changed, 70 insertions, 62 deletions
diff --git a/meta/recipes-devtools/python/python/CVE-2016-1000110.patch b/meta/recipes-devtools/python/python/CVE-2016-1000110.patch
index 071175acec..71e00e752e 100644
--- a/meta/recipes-devtools/python/python/CVE-2016-1000110.patch
+++ b/meta/recipes-devtools/python/python/CVE-2016-1000110.patch
@@ -1,21 +1,26 @@
1From 5be8d3e97b1d2e526548cb346fd5f8980d31616a Mon Sep 17 00:00:00 2001 1From cb25fbd5abc0f4eb07dbb8ea819e9c26bda4fc99 Mon Sep 17 00:00:00 2001
2From: Senthil Kumaran <senthil@uthcode.com> 2From: Senthil Kumaran <senthil@uthcode.com>
3Date: Sat, 30 Jul 2016 05:49:53 -0700 3Date: Sat, 30 Jul 2016 05:49:53 -0700
4Subject: [PATCH] Prevent HTTPoxy attack (CVE-2016-1000110) 4Subject: [PATCH] python: fix CVE-2016-1000110
5MIME-Version: 1.0 5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8 6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit 7Content-Transfer-Encoding: 8bit
8 8
9Prevent HTTPoxy attack (CVE-2016-1000110)
10
9Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which 11Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
10indicates that the script is in CGI mode. 12indicates that the script is in CGI mode.
11 13
12Issue reported and patch contributed by Rémi Rampin. 14Issue reported and patch contributed by Rémi Rampin.
13 15
16Backport patch from https://hg.python.org/cpython/rev/ba915d561667/
17
14Upstream-Status: Backport 18Upstream-Status: Backport
15CVE: CVE-2016-1000110 19CVE: CVE-2016-1000110
20Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
16 21
17Signed-off-by: Armin Kuster <akuster@mvista.com> 22Copied this file from morty since the old one didn't apply to python 2.7.12.
18 23Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
19--- 24---
20 Doc/howto/urllib2.rst | 5 +++++ 25 Doc/howto/urllib2.rst | 5 +++++
21 Doc/library/urllib.rst | 10 ++++++++++ 26 Doc/library/urllib.rst | 10 ++++++++++
@@ -26,11 +31,11 @@ Signed-off-by: Armin Kuster <akuster@mvista.com>
26 Misc/NEWS | 4 ++++ 31 Misc/NEWS | 4 ++++
27 7 files changed, 46 insertions(+) 32 7 files changed, 46 insertions(+)
28 33
29Index: Python-2.7.11/Doc/howto/urllib2.rst 34diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
30=================================================================== 35index 6bb06d4..5cf2c0c 100644
31--- Python-2.7.11.orig/Doc/howto/urllib2.rst 36--- a/Doc/howto/urllib2.rst
32+++ Python-2.7.11/Doc/howto/urllib2.rst 37+++ b/Doc/howto/urllib2.rst
33@@ -523,6 +523,11 @@ setting up a `Basic Authentication`_ han 38@@ -525,6 +525,11 @@ setting up a `Basic Authentication`_ handler: ::
34 through a proxy. However, this can be enabled by extending urllib2 as 39 through a proxy. However, this can be enabled by extending urllib2 as
35 shown in the recipe [#]_. 40 shown in the recipe [#]_.
36 41
@@ -42,13 +47,13 @@ Index: Python-2.7.11/Doc/howto/urllib2.rst
42 47
43 Sockets and Layers 48 Sockets and Layers
44 ================== 49 ==================
45Index: Python-2.7.11/Doc/library/urllib.rst 50diff --git a/Doc/library/urllib.rst b/Doc/library/urllib.rst
46=================================================================== 51index 3b5dc16..bddcba9 100644
47--- Python-2.7.11.orig/Doc/library/urllib.rst 52--- a/Doc/library/urllib.rst
48+++ Python-2.7.11/Doc/library/urllib.rst 53+++ b/Doc/library/urllib.rst
49@@ -293,6 +293,16 @@ Utility functions 54@@ -295,6 +295,16 @@ Utility functions
50 find it, looks for proxy information from Mac OSX System Configuration for 55 If both lowercase and uppercase environment variables exist (and disagree),
51 Mac OS X and Windows Systems Registry for Windows. 56 lowercase is preferred.
52 57
53+ .. note:: 58+ .. note::
54+ 59+
@@ -62,11 +67,11 @@ Index: Python-2.7.11/Doc/library/urllib.rst
62+ 67+
63 .. note:: 68 .. note::
64 urllib also exposes certain utility functions like splittype, splithost and 69 urllib also exposes certain utility functions like splittype, splithost and
65 others parsing url into various components. But it is recommended to use 70 others parsing URL into various components. But it is recommended to use
66Index: Python-2.7.11/Doc/library/urllib2.rst 71diff --git a/Doc/library/urllib2.rst b/Doc/library/urllib2.rst
67=================================================================== 72index 8a4c80e..b808b98 100644
68--- Python-2.7.11.orig/Doc/library/urllib2.rst 73--- a/Doc/library/urllib2.rst
69+++ Python-2.7.11/Doc/library/urllib2.rst 74+++ b/Doc/library/urllib2.rst
70@@ -229,6 +229,11 @@ The following classes are provided: 75@@ -229,6 +229,11 @@ The following classes are provided:
71 76
72 To disable autodetected proxy pass an empty dictionary. 77 To disable autodetected proxy pass an empty dictionary.
@@ -79,25 +84,13 @@ Index: Python-2.7.11/Doc/library/urllib2.rst
79 84
80 .. class:: HTTPPasswordMgr() 85 .. class:: HTTPPasswordMgr()
81 86
82Index: Python-2.7.11/Misc/ACKS 87diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
83=================================================================== 88index 434d533..27a1d38 100644
84--- Python-2.7.11.orig/Misc/ACKS 89--- a/Lib/test/test_urllib.py
85+++ Python-2.7.11/Misc/ACKS 90+++ b/Lib/test/test_urllib.py
86@@ -1110,6 +1110,7 @@ Jérôme Radix 91@@ -170,6 +170,18 @@ class ProxyTests(unittest.TestCase):
87 Burton Radons 92 self.assertTrue(urllib.proxy_bypass_environment('anotherdomain.com:8888'))
88 Jeff Ramnani 93 self.assertTrue(urllib.proxy_bypass_environment('newdomain.com:1234'))
89 Brodie Rao
90+Rémi Rampin
91 Senko Rasic
92 Antti Rasinen
93 Nikolaus Rath
94Index: Python-2.7.11/Lib/test/test_urllib.py
95===================================================================
96--- Python-2.7.11.orig/Lib/test/test_urllib.py
97+++ Python-2.7.11/Lib/test/test_urllib.py
98@@ -162,6 +162,18 @@ class ProxyTests(unittest.TestCase):
99 self.assertTrue(urllib.proxy_bypass_environment('anotherdomain.com'))
100
101 94
102+ def test_proxy_cgi_ignore(self): 95+ def test_proxy_cgi_ignore(self):
103+ try: 96+ try:
@@ -111,16 +104,16 @@ Index: Python-2.7.11/Lib/test/test_urllib.py
111+ self.env.unset('REQUEST_METHOD') 104+ self.env.unset('REQUEST_METHOD')
112+ self.env.unset('HTTP_PROXY') 105+ self.env.unset('HTTP_PROXY')
113+ 106+
114 class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin): 107 def test_proxy_bypass_environment_host_match(self):
115 """Test urlopen() opening a fake http connection.""" 108 bypass = urllib.proxy_bypass_environment
116 109 self.env.set('NO_PROXY',
117Index: Python-2.7.11/Lib/urllib.py 110diff --git a/Lib/urllib.py b/Lib/urllib.py
118=================================================================== 111index 139fab9..c3ba2c9 100644
119--- Python-2.7.11.orig/Lib/urllib.py 112--- a/Lib/urllib.py
120+++ Python-2.7.11/Lib/urllib.py 113+++ b/Lib/urllib.py
121@@ -1382,11 +1382,21 @@ def getproxies_environment(): 114@@ -1380,12 +1380,21 @@ def getproxies_environment():
115 If you need a different way, you can pass a proxies dictionary to the
122 [Fancy]URLopener constructor. 116 [Fancy]URLopener constructor.
123
124 """ 117 """
125+ # Get all variables 118+ # Get all variables
126 proxies = {} 119 proxies = {}
@@ -128,7 +121,7 @@ Index: Python-2.7.11/Lib/urllib.py
128 name = name.lower() 121 name = name.lower()
129 if value and name[-6:] == '_proxy': 122 if value and name[-6:] == '_proxy':
130 proxies[name[:-6]] = value 123 proxies[name[:-6]] = value
131+ 124
132+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY 125+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
133+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:" 126+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
134+ # header from the client 127+ # header from the client
@@ -137,21 +130,36 @@ Index: Python-2.7.11/Lib/urllib.py
137+ proxies.pop('http', None) 130+ proxies.pop('http', None)
138+ 131+
139+ # Get lowercase variables 132+ # Get lowercase variables
140 return proxies 133 for name, value in os.environ.items():
141 134 if name[-6:] == '_proxy':
142 def proxy_bypass_environment(host): 135 name = name.lower()
143Index: Python-2.7.11/Misc/NEWS 136diff --git a/Misc/ACKS b/Misc/ACKS
144=================================================================== 137index ee3a465..9c374b7 100644
145--- Python-2.7.11.orig/Misc/NEWS 138--- a/Misc/ACKS
146+++ Python-2.7.11/Misc/NEWS 139+++ b/Misc/ACKS
147@@ -10,6 +10,10 @@ What's New in Python 2.7.11? 140@@ -1121,6 +1121,7 @@ Burton Radons
148 Library 141 Jeff Ramnani
149 ------- 142 Varpu Rantala
143 Brodie Rao
144+Rémi Rampin
145 Senko Rasic
146 Antti Rasinen
147 Nikolaus Rath
148diff --git a/Misc/NEWS b/Misc/NEWS
149index 4ab3a70..cc2f65b 100644
150--- a/Misc/NEWS
151+++ b/Misc/NEWS
152@@ -187,6 +187,10 @@ Library
153 - Issue #26644: Raise ValueError rather than SystemError when a negative
154 length is passed to SSLSocket.recv() or read().
150 155
151+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the 156+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
152+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates 157+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
153+ that the script is in CGI mode. 158+ that the script is in CGI mode.
154+ 159+
155 - Issue #25624: ZipFile now always writes a ZIP_STORED header for directory 160 - Issue #23804: Fix SSL recv(0) and read(0) methods to return zero bytes
156 entries. Patch by Dingyuan Wang. 161 instead of up to 1024.
157 162
163--
1642.8.1
165
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-03 03:57:28 +0000