1 files changed, 129 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch
new file mode 100644
index 0000000000..82a114f29d
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch
@@ -0,0 +1,129 @@
+From 31c16d62fc762ab87e66e7f47e36dbfcfc8b5224 Mon Sep 17 00:00:00 2001
+From: Xtreak <tir.karthi@gmail.com>
+Date: Sun, 17 Mar 2019 05:33:39 +0530
+Subject: [PATCH] [3.5] bpo-35121: prefix dot in domain for proper subdomain
+ validation (GH-10258) (#12281)
+Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy.  Patch by Karthikeyan Singaravelan.
+(cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14)
+Co-authored-by: Xtreak <tir.karthi@gmail.com>
+CVE: CVE-2018-20852
+Upstream-Status: Backport
+[https://github.com/python/cpython/commit/4749f1b69000259e23b4cc6f63c542a9bdc62f1b]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ Lib/http/cookiejar.py                         | 13 ++++++--
+ Lib/test/test_http_cookiejar.py               | 30 +++++++++++++++++++
+ .../2018-10-31-15-39-17.bpo-35121.EgHv9k.rst  |  4 +++
+ 3 files changed, 45 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
+diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py
+index 6d4572af03..1cc9378ae4 100644
+--- a/Lib/http/cookiejar.py
+++ b/Lib/http/cookiejar.py
+@@ -1148,6 +1148,11 @@ class DefaultCookiePolicy(CookiePolicy):
+         req_host, erhn = eff_request_host(request)
+         domain = cookie.domain
+ 
+        if domain and not domain.startswith("."):
+            dotdomain = "." + domain
+        else:
+            dotdomain = domain
+
+         # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
+         if (cookie.version == 0 and
+             (self.strict_ns_domain & self.DomainStrictNonDomain) and
+@@ -1160,7 +1165,7 @@ class DefaultCookiePolicy(CookiePolicy):
+             _debug("   effective request-host name %s does not domain-match "
+                    "RFC 2965 cookie domain %s", erhn, domain)
+             return False
+-        if cookie.version == 0 and not ("."+erhn).endswith(domain):
+        if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
+             _debug("   request-host %s does not match Netscape cookie domain "
+                    "%s", req_host, domain)
+             return False
+@@ -1174,7 +1179,11 @@ class DefaultCookiePolicy(CookiePolicy):
+             req_host = "."+req_host
+         if not erhn.startswith("."):
+             erhn = "."+erhn
+-        if not (req_host.endswith(domain) or erhn.endswith(domain)):
+        if domain and not domain.startswith("."):
+            dotdomain = "." + domain
+        else:
+            dotdomain = domain
+        if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
+             #_debug("   request domain %s does not match cookie domain %s",
+             #       req_host, domain)
+             return False
+diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py
+index 49c01ae489..e67e6ae780 100644
+--- a/Lib/test/test_http_cookiejar.py
+++ b/Lib/test/test_http_cookiejar.py
+@@ -417,6 +417,7 @@ class CookieTests(unittest.TestCase):
+             ("http://foo.bar.com/", ".foo.bar.com", True),
+             ("http://foo.bar.com/", "foo.bar.com", True),
+             ("http://foo.bar.com/", ".bar.com", True),
+            ("http://foo.bar.com/", "bar.com", True),
+             ("http://foo.bar.com/", "com", True),
+             ("http://foo.com/", "rhubarb.foo.com", False),
+             ("http://foo.com/", ".foo.com", True),
+@@ -427,6 +428,8 @@ class CookieTests(unittest.TestCase):
+             ("http://foo/", "foo", True),
+             ("http://foo/", "foo.local", True),
+             ("http://foo/", ".local", True),
+            ("http://barfoo.com", ".foo.com", False),
+            ("http://barfoo.com", "foo.com", False),
+             ]:
+             request = urllib.request.Request(url)
+             r = pol.domain_return_ok(domain, request)
+@@ -961,6 +964,33 @@ class CookieTests(unittest.TestCase):
+         c.add_cookie_header(req)
+         self.assertFalse(req.has_header("Cookie"))
+ 
+        c.clear()
+
+        pol.set_blocked_domains([])
+        req = urllib.request.Request("http://acme.com/")
+        res = FakeResponse(headers, "http://acme.com/")
+        cookies = c.make_cookies(res, req)
+        c.extract_cookies(res, req)
+        self.assertEqual(len(c), 1)
+
+        req = urllib.request.Request("http://acme.com/")
+        c.add_cookie_header(req)
+        self.assertTrue(req.has_header("Cookie"))
+
+        req = urllib.request.Request("http://badacme.com/")
+        c.add_cookie_header(req)
+        self.assertFalse(pol.return_ok(cookies[0], req))
+        self.assertFalse(req.has_header("Cookie"))
+
+        p = pol.set_blocked_domains(["acme.com"])
+        req = urllib.request.Request("http://acme.com/")
+        c.add_cookie_header(req)
+        self.assertFalse(req.has_header("Cookie"))
+
+        req = urllib.request.Request("http://badacme.com/")
+        c.add_cookie_header(req)
+        self.assertFalse(req.has_header("Cookie"))
+
+     def test_secure(self):
+         for ns in True, False:
+             for whitespace in " ", "":
+diff --git a/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
+new file mode 100644
+index 0000000000..d2eb8f1f35
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
+@@ -0,0 +1,4 @@
+Don't send cookies of domain A without Domain attribute to domain B
+when domain A is a suffix match of domain B while using a cookiejar
+with :class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by
+Karthikeyan Singaravelan.
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8

diff --git a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch new file mode 100644 index 0000000000..82a114f29d --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch
@@ -0,0 +1,129 @@
	1	From 31c16d62fc762ab87e66e7f47e36dbfcfc8b5224 Mon Sep 17 00:00:00 2001
	2	From: Xtreak <tir.karthi@gmail.com>
	3	Date: Sun, 17 Mar 2019 05:33:39 +0530
	4	Subject: [PATCH] [3.5] bpo-35121: prefix dot in domain for proper subdomain
	5	validation (GH-10258) (#12281)
	6
	7	Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan.
	8	(cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14)
	9
	10	Co-authored-by: Xtreak <tir.karthi@gmail.com>
	11
	12	CVE: CVE-2018-20852
	13	Upstream-Status: Backport
	14	[https://github.com/python/cpython/commit/4749f1b69000259e23b4cc6f63c542a9bdc62f1b]
	15
	16	Signed-off-by: Dan Tran <dantran@microsoft.com>
	17	---
	18	Lib/http/cookiejar.py \| 13 ++++++--
	19	Lib/test/test_http_cookiejar.py \| 30 +++++++++++++++++++
	20	.../2018-10-31-15-39-17.bpo-35121.EgHv9k.rst \| 4 +++
	21	3 files changed, 45 insertions(+), 2 deletions(-)
	22	create mode 100644 Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
	23
	24	diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py
	25	index 6d4572af03..1cc9378ae4 100644
	26	--- a/Lib/http/cookiejar.py
	27	+++ b/Lib/http/cookiejar.py
	28	@@ -1148,6 +1148,11 @@ class DefaultCookiePolicy(CookiePolicy):
	29	req_host, erhn = eff_request_host(request)
	30	domain = cookie.domain
	31
	32	+ if domain and not domain.startswith("."):
	33	+ dotdomain = "." + domain
	34	+ else:
	35	+ dotdomain = domain
	36	+
	37	# strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
	38	if (cookie.version == 0 and
	39	(self.strict_ns_domain & self.DomainStrictNonDomain) and
	40	@@ -1160,7 +1165,7 @@ class DefaultCookiePolicy(CookiePolicy):
	41	_debug(" effective request-host name %s does not domain-match "
	42	"RFC 2965 cookie domain %s", erhn, domain)
	43	return False
	44	- if cookie.version == 0 and not ("."+erhn).endswith(domain):
	45	+ if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
	46	_debug(" request-host %s does not match Netscape cookie domain "
	47	"%s", req_host, domain)
	48	return False
	49	@@ -1174,7 +1179,11 @@ class DefaultCookiePolicy(CookiePolicy):
	50	req_host = "."+req_host
	51	if not erhn.startswith("."):
	52	erhn = "."+erhn
	53	- if not (req_host.endswith(domain) or erhn.endswith(domain)):
	54	+ if domain and not domain.startswith("."):
	55	+ dotdomain = "." + domain
	56	+ else:
	57	+ dotdomain = domain
	58	+ if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
	59	#_debug(" request domain %s does not match cookie domain %s",
	60	# req_host, domain)
	61	return False
	62	diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py
	63	index 49c01ae489..e67e6ae780 100644
	64	--- a/Lib/test/test_http_cookiejar.py
	65	+++ b/Lib/test/test_http_cookiejar.py
	66	@@ -417,6 +417,7 @@ class CookieTests(unittest.TestCase):
	67	("http://foo.bar.com/", ".foo.bar.com", True),
	68	("http://foo.bar.com/", "foo.bar.com", True),
	69	("http://foo.bar.com/", ".bar.com", True),
	70	+ ("http://foo.bar.com/", "bar.com", True),
	71	("http://foo.bar.com/", "com", True),
	72	("http://foo.com/", "rhubarb.foo.com", False),
	73	("http://foo.com/", ".foo.com", True),
	74	@@ -427,6 +428,8 @@ class CookieTests(unittest.TestCase):
	75	("http://foo/", "foo", True),
	76	("http://foo/", "foo.local", True),
	77	("http://foo/", ".local", True),
	78	+ ("http://barfoo.com", ".foo.com", False),
	79	+ ("http://barfoo.com", "foo.com", False),
	80	]:
	81	request = urllib.request.Request(url)
	82	r = pol.domain_return_ok(domain, request)
	83	@@ -961,6 +964,33 @@ class CookieTests(unittest.TestCase):
	84	c.add_cookie_header(req)
	85	self.assertFalse(req.has_header("Cookie"))
	86
	87	+ c.clear()
	88	+
	89	+ pol.set_blocked_domains([])
	90	+ req = urllib.request.Request("http://acme.com/")
	91	+ res = FakeResponse(headers, "http://acme.com/")
	92	+ cookies = c.make_cookies(res, req)
	93	+ c.extract_cookies(res, req)
	94	+ self.assertEqual(len(c), 1)
	95	+
	96	+ req = urllib.request.Request("http://acme.com/")
	97	+ c.add_cookie_header(req)
	98	+ self.assertTrue(req.has_header("Cookie"))
	99	+
	100	+ req = urllib.request.Request("http://badacme.com/")
	101	+ c.add_cookie_header(req)
	102	+ self.assertFalse(pol.return_ok(cookies[0], req))
	103	+ self.assertFalse(req.has_header("Cookie"))
	104	+
	105	+ p = pol.set_blocked_domains(["acme.com"])
	106	+ req = urllib.request.Request("http://acme.com/")
	107	+ c.add_cookie_header(req)
	108	+ self.assertFalse(req.has_header("Cookie"))
	109	+
	110	+ req = urllib.request.Request("http://badacme.com/")
	111	+ c.add_cookie_header(req)
	112	+ self.assertFalse(req.has_header("Cookie"))
	113	+
	114	def test_secure(self):
	115	for ns in True, False:
	116	for whitespace in " ", "":
	117	diff --git a/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
	118	new file mode 100644
	119	index 0000000000..d2eb8f1f35
	120	--- /dev/null
	121	+++ b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
	122	@@ -0,0 +1,4 @@
	123	+Don't send cookies of domain A without Domain attribute to domain B
	124	+when domain A is a suffix match of domain B while using a cookiejar
	125	+with :class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by
	126	+Karthikeyan Singaravelan.
	127	--
	128	2.22.0.vfs.1.1.57.gbaf16c8
	129