diff options
Diffstat (limited to 'meta/recipes-devtools/python/python3/CVE-2018-20852.patch')
-rw-r--r-- | meta/recipes-devtools/python/python3/CVE-2018-20852.patch | 129 |
1 files changed, 129 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch new file mode 100644 index 0000000000..82a114f29d --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch | |||
@@ -0,0 +1,129 @@ | |||
1 | From 31c16d62fc762ab87e66e7f47e36dbfcfc8b5224 Mon Sep 17 00:00:00 2001 | ||
2 | From: Xtreak <tir.karthi@gmail.com> | ||
3 | Date: Sun, 17 Mar 2019 05:33:39 +0530 | ||
4 | Subject: [PATCH] [3.5] bpo-35121: prefix dot in domain for proper subdomain | ||
5 | validation (GH-10258) (#12281) | ||
6 | |||
7 | Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan. | ||
8 | (cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14) | ||
9 | |||
10 | Co-authored-by: Xtreak <tir.karthi@gmail.com> | ||
11 | |||
12 | CVE: CVE-2018-20852 | ||
13 | Upstream-Status: Backport | ||
14 | [https://github.com/python/cpython/commit/4749f1b69000259e23b4cc6f63c542a9bdc62f1b] | ||
15 | |||
16 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
17 | --- | ||
18 | Lib/http/cookiejar.py | 13 ++++++-- | ||
19 | Lib/test/test_http_cookiejar.py | 30 +++++++++++++++++++ | ||
20 | .../2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | 4 +++ | ||
21 | 3 files changed, 45 insertions(+), 2 deletions(-) | ||
22 | create mode 100644 Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | ||
23 | |||
24 | diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py | ||
25 | index 6d4572af03..1cc9378ae4 100644 | ||
26 | --- a/Lib/http/cookiejar.py | ||
27 | +++ b/Lib/http/cookiejar.py | ||
28 | @@ -1148,6 +1148,11 @@ class DefaultCookiePolicy(CookiePolicy): | ||
29 | req_host, erhn = eff_request_host(request) | ||
30 | domain = cookie.domain | ||
31 | |||
32 | + if domain and not domain.startswith("."): | ||
33 | + dotdomain = "." + domain | ||
34 | + else: | ||
35 | + dotdomain = domain | ||
36 | + | ||
37 | # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't | ||
38 | if (cookie.version == 0 and | ||
39 | (self.strict_ns_domain & self.DomainStrictNonDomain) and | ||
40 | @@ -1160,7 +1165,7 @@ class DefaultCookiePolicy(CookiePolicy): | ||
41 | _debug(" effective request-host name %s does not domain-match " | ||
42 | "RFC 2965 cookie domain %s", erhn, domain) | ||
43 | return False | ||
44 | - if cookie.version == 0 and not ("."+erhn).endswith(domain): | ||
45 | + if cookie.version == 0 and not ("."+erhn).endswith(dotdomain): | ||
46 | _debug(" request-host %s does not match Netscape cookie domain " | ||
47 | "%s", req_host, domain) | ||
48 | return False | ||
49 | @@ -1174,7 +1179,11 @@ class DefaultCookiePolicy(CookiePolicy): | ||
50 | req_host = "."+req_host | ||
51 | if not erhn.startswith("."): | ||
52 | erhn = "."+erhn | ||
53 | - if not (req_host.endswith(domain) or erhn.endswith(domain)): | ||
54 | + if domain and not domain.startswith("."): | ||
55 | + dotdomain = "." + domain | ||
56 | + else: | ||
57 | + dotdomain = domain | ||
58 | + if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)): | ||
59 | #_debug(" request domain %s does not match cookie domain %s", | ||
60 | # req_host, domain) | ||
61 | return False | ||
62 | diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py | ||
63 | index 49c01ae489..e67e6ae780 100644 | ||
64 | --- a/Lib/test/test_http_cookiejar.py | ||
65 | +++ b/Lib/test/test_http_cookiejar.py | ||
66 | @@ -417,6 +417,7 @@ class CookieTests(unittest.TestCase): | ||
67 | ("http://foo.bar.com/", ".foo.bar.com", True), | ||
68 | ("http://foo.bar.com/", "foo.bar.com", True), | ||
69 | ("http://foo.bar.com/", ".bar.com", True), | ||
70 | + ("http://foo.bar.com/", "bar.com", True), | ||
71 | ("http://foo.bar.com/", "com", True), | ||
72 | ("http://foo.com/", "rhubarb.foo.com", False), | ||
73 | ("http://foo.com/", ".foo.com", True), | ||
74 | @@ -427,6 +428,8 @@ class CookieTests(unittest.TestCase): | ||
75 | ("http://foo/", "foo", True), | ||
76 | ("http://foo/", "foo.local", True), | ||
77 | ("http://foo/", ".local", True), | ||
78 | + ("http://barfoo.com", ".foo.com", False), | ||
79 | + ("http://barfoo.com", "foo.com", False), | ||
80 | ]: | ||
81 | request = urllib.request.Request(url) | ||
82 | r = pol.domain_return_ok(domain, request) | ||
83 | @@ -961,6 +964,33 @@ class CookieTests(unittest.TestCase): | ||
84 | c.add_cookie_header(req) | ||
85 | self.assertFalse(req.has_header("Cookie")) | ||
86 | |||
87 | + c.clear() | ||
88 | + | ||
89 | + pol.set_blocked_domains([]) | ||
90 | + req = urllib.request.Request("http://acme.com/") | ||
91 | + res = FakeResponse(headers, "http://acme.com/") | ||
92 | + cookies = c.make_cookies(res, req) | ||
93 | + c.extract_cookies(res, req) | ||
94 | + self.assertEqual(len(c), 1) | ||
95 | + | ||
96 | + req = urllib.request.Request("http://acme.com/") | ||
97 | + c.add_cookie_header(req) | ||
98 | + self.assertTrue(req.has_header("Cookie")) | ||
99 | + | ||
100 | + req = urllib.request.Request("http://badacme.com/") | ||
101 | + c.add_cookie_header(req) | ||
102 | + self.assertFalse(pol.return_ok(cookies[0], req)) | ||
103 | + self.assertFalse(req.has_header("Cookie")) | ||
104 | + | ||
105 | + p = pol.set_blocked_domains(["acme.com"]) | ||
106 | + req = urllib.request.Request("http://acme.com/") | ||
107 | + c.add_cookie_header(req) | ||
108 | + self.assertFalse(req.has_header("Cookie")) | ||
109 | + | ||
110 | + req = urllib.request.Request("http://badacme.com/") | ||
111 | + c.add_cookie_header(req) | ||
112 | + self.assertFalse(req.has_header("Cookie")) | ||
113 | + | ||
114 | def test_secure(self): | ||
115 | for ns in True, False: | ||
116 | for whitespace in " ", "": | ||
117 | diff --git a/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | ||
118 | new file mode 100644 | ||
119 | index 0000000000..d2eb8f1f35 | ||
120 | --- /dev/null | ||
121 | +++ b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | ||
122 | @@ -0,0 +1,4 @@ | ||
123 | +Don't send cookies of domain A without Domain attribute to domain B | ||
124 | +when domain A is a suffix match of domain B while using a cookiejar | ||
125 | +with :class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by | ||
126 | +Karthikeyan Singaravelan. | ||
127 | -- | ||
128 | 2.22.0.vfs.1.1.57.gbaf16c8 | ||
129 | |||