1 files changed, 127 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/bpo-35121-cve-2018-20852.patch b/meta/recipes-devtools/python/python/bpo-35121-cve-2018-20852.patch
new file mode 100644
index 0000000000..7ce7b1f9e0
--- /dev/null
+++ b/meta/recipes-devtools/python/python/bpo-35121-cve-2018-20852.patch
@@ -0,0 +1,127 @@
+From 1bd50d351e508b8947e5813c5f925eb4b61c8d76 Mon Sep 17 00:00:00 2001
+From: Xtreak <tir.karthi@gmail.com>
+Date: Sat, 15 Jun 2019 20:59:43 +0530
+Subject: [PATCH] [2.7] bpo-35121: prefix dot in domain for proper subdomain
+ validation (GH-10258) (GH-13426)
+This is a manual backport of ca7fe5063593958e5efdf90f068582837f07bd14 since 2.7 has `http.cookiejar` in `cookielib`
+https://bugs.python.org/issue35121
+CVE: CVE-2018-20852
+Upstream-Status: Accepted
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ Lib/cookielib.py                              | 13 ++++++--
+ Lib/test/test_cookielib.py                    | 30 +++++++++++++++++++
+ .../2019-05-20-00-35-12.bpo-35121.RRi-HU.rst  |  4 +++
+ 3 files changed, 45 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
+diff --git a/Lib/cookielib.py b/Lib/cookielib.py
+index 2dd7c48728..0b471a42f2 100644
+--- a/Lib/cookielib.py
+++ b/Lib/cookielib.py
+@@ -1139,6 +1139,11 @@ class DefaultCookiePolicy(CookiePolicy):
+         req_host, erhn = eff_request_host(request)
+         domain = cookie.domain
+ 
+        if domain and not domain.startswith("."):
+            dotdomain = "." + domain
+        else:
+            dotdomain = domain
+
+         # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
+         if (cookie.version == 0 and
+             (self.strict_ns_domain & self.DomainStrictNonDomain) and
+@@ -1151,7 +1156,7 @@ class DefaultCookiePolicy(CookiePolicy):
+             _debug("   effective request-host name %s does not domain-match "
+                    "RFC 2965 cookie domain %s", erhn, domain)
+             return False
+-        if cookie.version == 0 and not ("."+erhn).endswith(domain):
+        if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
+             _debug("   request-host %s does not match Netscape cookie domain "
+                    "%s", req_host, domain)
+             return False
+@@ -1165,7 +1170,11 @@ class DefaultCookiePolicy(CookiePolicy):
+             req_host = "."+req_host
+         if not erhn.startswith("."):
+             erhn = "."+erhn
+-        if not (req_host.endswith(domain) or erhn.endswith(domain)):
+        if domain and not domain.startswith("."):
+            dotdomain = "." + domain
+        else:
+            dotdomain = domain
+        if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
+             #_debug("   request domain %s does not match cookie domain %s",
+             #       req_host, domain)
+             return False
+diff --git a/Lib/test/test_cookielib.py b/Lib/test/test_cookielib.py
+index f2dd9727d1..7f7ff614d6 100644
+--- a/Lib/test/test_cookielib.py
+++ b/Lib/test/test_cookielib.py
+@@ -368,6 +368,7 @@ class CookieTests(TestCase):
+             ("http://foo.bar.com/", ".foo.bar.com", True),
+             ("http://foo.bar.com/", "foo.bar.com", True),
+             ("http://foo.bar.com/", ".bar.com", True),
+            ("http://foo.bar.com/", "bar.com", True),
+             ("http://foo.bar.com/", "com", True),
+             ("http://foo.com/", "rhubarb.foo.com", False),
+             ("http://foo.com/", ".foo.com", True),
+@@ -378,6 +379,8 @@ class CookieTests(TestCase):
+             ("http://foo/", "foo", True),
+             ("http://foo/", "foo.local", True),
+             ("http://foo/", ".local", True),
+            ("http://barfoo.com", ".foo.com", False),
+            ("http://barfoo.com", "foo.com", False),
+             ]:
+             request = urllib2.Request(url)
+             r = pol.domain_return_ok(domain, request)
+@@ -938,6 +941,33 @@ class CookieTests(TestCase):
+         c.add_cookie_header(req)
+         self.assertFalse(req.has_header("Cookie"))
+ 
+        c.clear()
+
+        pol.set_blocked_domains([])
+        req = Request("http://acme.com/")
+        res = FakeResponse(headers, "http://acme.com/")
+        cookies = c.make_cookies(res, req)
+        c.extract_cookies(res, req)
+        self.assertEqual(len(c), 1)
+
+        req = Request("http://acme.com/")
+        c.add_cookie_header(req)
+        self.assertTrue(req.has_header("Cookie"))
+
+        req = Request("http://badacme.com/")
+        c.add_cookie_header(req)
+        self.assertFalse(pol.return_ok(cookies[0], req))
+        self.assertFalse(req.has_header("Cookie"))
+
+        p = pol.set_blocked_domains(["acme.com"])
+        req = Request("http://acme.com/")
+        c.add_cookie_header(req)
+        self.assertFalse(req.has_header("Cookie"))
+
+        req = Request("http://badacme.com/")
+        c.add_cookie_header(req)
+        self.assertFalse(req.has_header("Cookie"))
+
+     def test_secure(self):
+         from cookielib import CookieJar, DefaultCookiePolicy
+ 
+diff --git a/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
+new file mode 100644
+index 0000000000..7725180616
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
+@@ -0,0 +1,4 @@
+Don't send cookies of domain A without Domain attribute to domain B when
+domain A is a suffix match of domain B while using a cookiejar with
+:class:`cookielib.DefaultCookiePolicy` policy. Patch by Karthikeyan
+Singaravelan.
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8

diff --git a/meta/recipes-devtools/python/python/bpo-35121-cve-2018-20852.patch b/meta/recipes-devtools/python/python/bpo-35121-cve-2018-20852.patch new file mode 100644 index 0000000000..7ce7b1f9e0 --- /dev/null +++ b/meta/recipes-devtools/python/python/bpo-35121-cve-2018-20852.patch
@@ -0,0 +1,127 @@
	1	From 1bd50d351e508b8947e5813c5f925eb4b61c8d76 Mon Sep 17 00:00:00 2001
	2	From: Xtreak <tir.karthi@gmail.com>
	3	Date: Sat, 15 Jun 2019 20:59:43 +0530
	4	Subject: [PATCH] [2.7] bpo-35121: prefix dot in domain for proper subdomain
	5	validation (GH-10258) (GH-13426)
	6
	7	This is a manual backport of ca7fe5063593958e5efdf90f068582837f07bd14 since 2.7 has `http.cookiejar` in `cookielib`
	8
	9	https://bugs.python.org/issue35121
	10
	11	CVE: CVE-2018-20852
	12	Upstream-Status: Accepted
	13
	14	Signed-off-by: Dan Tran <dantran@microsoft.com>
	15	---
	16	Lib/cookielib.py \| 13 ++++++--
	17	Lib/test/test_cookielib.py \| 30 +++++++++++++++++++
	18	.../2019-05-20-00-35-12.bpo-35121.RRi-HU.rst \| 4 +++
	19	3 files changed, 45 insertions(+), 2 deletions(-)
	20	create mode 100644 Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
	21
	22	diff --git a/Lib/cookielib.py b/Lib/cookielib.py
	23	index 2dd7c48728..0b471a42f2 100644
	24	--- a/Lib/cookielib.py
	25	+++ b/Lib/cookielib.py
	26	@@ -1139,6 +1139,11 @@ class DefaultCookiePolicy(CookiePolicy):
	27	req_host, erhn = eff_request_host(request)
	28	domain = cookie.domain
	29
	30	+ if domain and not domain.startswith("."):
	31	+ dotdomain = "." + domain
	32	+ else:
	33	+ dotdomain = domain
	34	+
	35	# strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
	36	if (cookie.version == 0 and
	37	(self.strict_ns_domain & self.DomainStrictNonDomain) and
	38	@@ -1151,7 +1156,7 @@ class DefaultCookiePolicy(CookiePolicy):
	39	_debug(" effective request-host name %s does not domain-match "
	40	"RFC 2965 cookie domain %s", erhn, domain)
	41	return False
	42	- if cookie.version == 0 and not ("."+erhn).endswith(domain):
	43	+ if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
	44	_debug(" request-host %s does not match Netscape cookie domain "
	45	"%s", req_host, domain)
	46	return False
	47	@@ -1165,7 +1170,11 @@ class DefaultCookiePolicy(CookiePolicy):
	48	req_host = "."+req_host
	49	if not erhn.startswith("."):
	50	erhn = "."+erhn
	51	- if not (req_host.endswith(domain) or erhn.endswith(domain)):
	52	+ if domain and not domain.startswith("."):
	53	+ dotdomain = "." + domain
	54	+ else:
	55	+ dotdomain = domain
	56	+ if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
	57	#_debug(" request domain %s does not match cookie domain %s",
	58	# req_host, domain)
	59	return False
	60	diff --git a/Lib/test/test_cookielib.py b/Lib/test/test_cookielib.py
	61	index f2dd9727d1..7f7ff614d6 100644
	62	--- a/Lib/test/test_cookielib.py
	63	+++ b/Lib/test/test_cookielib.py
	64	@@ -368,6 +368,7 @@ class CookieTests(TestCase):
	65	("http://foo.bar.com/", ".foo.bar.com", True),
	66	("http://foo.bar.com/", "foo.bar.com", True),
	67	("http://foo.bar.com/", ".bar.com", True),
	68	+ ("http://foo.bar.com/", "bar.com", True),
	69	("http://foo.bar.com/", "com", True),
	70	("http://foo.com/", "rhubarb.foo.com", False),
	71	("http://foo.com/", ".foo.com", True),
	72	@@ -378,6 +379,8 @@ class CookieTests(TestCase):
	73	("http://foo/", "foo", True),
	74	("http://foo/", "foo.local", True),
	75	("http://foo/", ".local", True),
	76	+ ("http://barfoo.com", ".foo.com", False),
	77	+ ("http://barfoo.com", "foo.com", False),
	78	]:
	79	request = urllib2.Request(url)
	80	r = pol.domain_return_ok(domain, request)
	81	@@ -938,6 +941,33 @@ class CookieTests(TestCase):
	82	c.add_cookie_header(req)
	83	self.assertFalse(req.has_header("Cookie"))
	84
	85	+ c.clear()
	86	+
	87	+ pol.set_blocked_domains([])
	88	+ req = Request("http://acme.com/")
	89	+ res = FakeResponse(headers, "http://acme.com/")
	90	+ cookies = c.make_cookies(res, req)
	91	+ c.extract_cookies(res, req)
	92	+ self.assertEqual(len(c), 1)
	93	+
	94	+ req = Request("http://acme.com/")
	95	+ c.add_cookie_header(req)
	96	+ self.assertTrue(req.has_header("Cookie"))
	97	+
	98	+ req = Request("http://badacme.com/")
	99	+ c.add_cookie_header(req)
	100	+ self.assertFalse(pol.return_ok(cookies[0], req))
	101	+ self.assertFalse(req.has_header("Cookie"))
	102	+
	103	+ p = pol.set_blocked_domains(["acme.com"])
	104	+ req = Request("http://acme.com/")
	105	+ c.add_cookie_header(req)
	106	+ self.assertFalse(req.has_header("Cookie"))
	107	+
	108	+ req = Request("http://badacme.com/")
	109	+ c.add_cookie_header(req)
	110	+ self.assertFalse(req.has_header("Cookie"))
	111	+
	112	def test_secure(self):
	113	from cookielib import CookieJar, DefaultCookiePolicy
	114
	115	diff --git a/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
	116	new file mode 100644
	117	index 0000000000..7725180616
	118	--- /dev/null
	119	+++ b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
	120	@@ -0,0 +1,4 @@
	121	+Don't send cookies of domain A without Domain attribute to domain B when
	122	+domain A is a suffix match of domain B while using a cookiejar with
	123	+:class:`cookielib.DefaultCookiePolicy` policy. Patch by Karthikeyan
	124	+Singaravelan.
	125	--
	126	2.22.0.vfs.1.1.57.gbaf16c8
	127