1 files changed, 0 insertions, 124 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch
deleted file mode 100644
index ff671d3fab..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From e5123d81ffb3be35a1b2767d6ced1a097aaf77be Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Sat, 9 Mar 2019 18:58:25 -0800
-Subject: [PATCH] bpo-35121: prefix dot in domain for proper subdomain
- validation (GH-10258) (GH-12261)
-Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy.  Patch by Karthikeyan Singaravelan.
-(cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14)
-Co-authored-by: Xtreak <tir.karthi@gmail.com>
-Upstream-Status: Backport
-CVE: CVE-2018-20852
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> 
---
- Lib/http/cookiejar.py                         | 13 ++++++--
- Lib/test/test_http_cookiejar.py               | 30 +++++++++++++++++++
- .../2018-10-31-15-39-17.bpo-35121.EgHv9k.rst  |  4 +++
- 3 files changed, 45 insertions(+), 2 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
-diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py
-index e0f1032b2816..00cb1250a07e 100644
--- a/Lib/http/cookiejar.py
-+++ b/Lib/http/cookiejar.py
-@@ -1145,6 +1145,11 @@ def return_ok_domain(self, cookie, request):
-         req_host, erhn = eff_request_host(request)
-         domain = cookie.domain
- 
-+        if domain and not domain.startswith("."):
-+            dotdomain = "." + domain
-+        else:
-+            dotdomain = domain
-+
-         # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
-         if (cookie.version == 0 and
-             (self.strict_ns_domain & self.DomainStrictNonDomain) and
-@@ -1157,7 +1162,7 @@ def return_ok_domain(self, cookie, request):
-             _debug("   effective request-host name %s does not domain-match "
-                    "RFC 2965 cookie domain %s", erhn, domain)
-             return False
-        if cookie.version == 0 and not ("."+erhn).endswith(domain):
-+        if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
-             _debug("   request-host %s does not match Netscape cookie domain "
-                    "%s", req_host, domain)
-             return False
-@@ -1171,7 +1176,11 @@ def domain_return_ok(self, domain, request):
-             req_host = "."+req_host
-         if not erhn.startswith("."):
-             erhn = "."+erhn
-        if not (req_host.endswith(domain) or erhn.endswith(domain)):
-+        if domain and not domain.startswith("."):
-+            dotdomain = "." + domain
-+        else:
-+            dotdomain = domain
-+        if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
-             #_debug("   request domain %s does not match cookie domain %s",
-             #       req_host, domain)
-             return False
-diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py
-index abc625d672a7..6e1b30881310 100644
--- a/Lib/test/test_http_cookiejar.py
-+++ b/Lib/test/test_http_cookiejar.py
-@@ -415,6 +415,7 @@ def test_domain_return_ok(self):
-             ("http://foo.bar.com/", ".foo.bar.com", True),
-             ("http://foo.bar.com/", "foo.bar.com", True),
-             ("http://foo.bar.com/", ".bar.com", True),
-+            ("http://foo.bar.com/", "bar.com", True),
-             ("http://foo.bar.com/", "com", True),
-             ("http://foo.com/", "rhubarb.foo.com", False),
-             ("http://foo.com/", ".foo.com", True),
-@@ -425,6 +426,8 @@ def test_domain_return_ok(self):
-             ("http://foo/", "foo", True),
-             ("http://foo/", "foo.local", True),
-             ("http://foo/", ".local", True),
-+            ("http://barfoo.com", ".foo.com", False),
-+            ("http://barfoo.com", "foo.com", False),
-             ]:
-             request = urllib.request.Request(url)
-             r = pol.domain_return_ok(domain, request)
-@@ -959,6 +962,33 @@ def test_domain_block(self):
-         c.add_cookie_header(req)
-         self.assertFalse(req.has_header("Cookie"))
- 
-+        c.clear()
-+
-+        pol.set_blocked_domains([])
-+        req = urllib.request.Request("http://acme.com/")
-+        res = FakeResponse(headers, "http://acme.com/")
-+        cookies = c.make_cookies(res, req)
-+        c.extract_cookies(res, req)
-+        self.assertEqual(len(c), 1)
-+
-+        req = urllib.request.Request("http://acme.com/")
-+        c.add_cookie_header(req)
-+        self.assertTrue(req.has_header("Cookie"))
-+
-+        req = urllib.request.Request("http://badacme.com/")
-+        c.add_cookie_header(req)
-+        self.assertFalse(pol.return_ok(cookies[0], req))
-+        self.assertFalse(req.has_header("Cookie"))
-+
-+        p = pol.set_blocked_domains(["acme.com"])
-+        req = urllib.request.Request("http://acme.com/")
-+        c.add_cookie_header(req)
-+        self.assertFalse(req.has_header("Cookie"))
-+
-+        req = urllib.request.Request("http://badacme.com/")
-+        c.add_cookie_header(req)
-+        self.assertFalse(req.has_header("Cookie"))
-+
-     def test_secure(self):
-         for ns in True, False:
-             for whitespace in " ", "":
-diff --git a/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
-new file mode 100644
-index 000000000000..d2eb8f1f352c
--- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
-@@ -0,0 +1,4 @@
-+Don't send cookies of domain A without Domain attribute to domain B
-+when domain A is a suffix match of domain B while using a cookiejar
-+with :class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by
-+Karthikeyan Singaravelan.

diff --git a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch deleted file mode 100644 index ff671d3fab..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch +++ /dev/null
@@ -1,124 +0,0 @@
1	From e5123d81ffb3be35a1b2767d6ced1a097aaf77be Mon Sep 17 00:00:00 2001
2	From: "Miss Islington (bot)"
3	<31488909+miss-islington@users.noreply.github.com>
4	Date: Sat, 9 Mar 2019 18:58:25 -0800
5	Subject: [PATCH] bpo-35121: prefix dot in domain for proper subdomain
6	validation (GH-10258) (GH-12261)
7
8	Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan.
9	(cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14)
10
11	Co-authored-by: Xtreak <tir.karthi@gmail.com>
12	Upstream-Status: Backport
13	CVE: CVE-2018-20852
14	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
15	---
16	Lib/http/cookiejar.py \| 13 ++++++--
17	Lib/test/test_http_cookiejar.py \| 30 +++++++++++++++++++
18	.../2018-10-31-15-39-17.bpo-35121.EgHv9k.rst \| 4 +++
19	3 files changed, 45 insertions(+), 2 deletions(-)
20	create mode 100644 Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
21
22	diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py
23	index e0f1032b2816..00cb1250a07e 100644
24	--- a/Lib/http/cookiejar.py
25	+++ b/Lib/http/cookiejar.py
26	@@ -1145,6 +1145,11 @@ def return_ok_domain(self, cookie, request):
27	req_host, erhn = eff_request_host(request)
28	domain = cookie.domain
29
30	+ if domain and not domain.startswith("."):
31	+ dotdomain = "." + domain
32	+ else:
33	+ dotdomain = domain
34	+
35	# strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
36	if (cookie.version == 0 and
37	(self.strict_ns_domain & self.DomainStrictNonDomain) and
38	@@ -1157,7 +1162,7 @@ def return_ok_domain(self, cookie, request):
39	_debug(" effective request-host name %s does not domain-match "
40	"RFC 2965 cookie domain %s", erhn, domain)
41	return False
42	- if cookie.version == 0 and not ("."+erhn).endswith(domain):
43	+ if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
44	_debug(" request-host %s does not match Netscape cookie domain "
45	"%s", req_host, domain)
46	return False
47	@@ -1171,7 +1176,11 @@ def domain_return_ok(self, domain, request):
48	req_host = "."+req_host
49	if not erhn.startswith("."):
50	erhn = "."+erhn
51	- if not (req_host.endswith(domain) or erhn.endswith(domain)):
52	+ if domain and not domain.startswith("."):
53	+ dotdomain = "." + domain
54	+ else:
55	+ dotdomain = domain
56	+ if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
57	#_debug(" request domain %s does not match cookie domain %s",
58	# req_host, domain)
59	return False
60	diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py
61	index abc625d672a7..6e1b30881310 100644
62	--- a/Lib/test/test_http_cookiejar.py
63	+++ b/Lib/test/test_http_cookiejar.py
64	@@ -415,6 +415,7 @@ def test_domain_return_ok(self):
65	("http://foo.bar.com/", ".foo.bar.com", True),
66	("http://foo.bar.com/", "foo.bar.com", True),
67	("http://foo.bar.com/", ".bar.com", True),
68	+ ("http://foo.bar.com/", "bar.com", True),
69	("http://foo.bar.com/", "com", True),
70	("http://foo.com/", "rhubarb.foo.com", False),
71	("http://foo.com/", ".foo.com", True),
72	@@ -425,6 +426,8 @@ def test_domain_return_ok(self):
73	("http://foo/", "foo", True),
74	("http://foo/", "foo.local", True),
75	("http://foo/", ".local", True),
76	+ ("http://barfoo.com", ".foo.com", False),
77	+ ("http://barfoo.com", "foo.com", False),
78	]:
79	request = urllib.request.Request(url)
80	r = pol.domain_return_ok(domain, request)
81	@@ -959,6 +962,33 @@ def test_domain_block(self):
82	c.add_cookie_header(req)
83	self.assertFalse(req.has_header("Cookie"))
84
85	+ c.clear()
86	+
87	+ pol.set_blocked_domains([])
88	+ req = urllib.request.Request("http://acme.com/")
89	+ res = FakeResponse(headers, "http://acme.com/")
90	+ cookies = c.make_cookies(res, req)
91	+ c.extract_cookies(res, req)
92	+ self.assertEqual(len(c), 1)
93	+
94	+ req = urllib.request.Request("http://acme.com/")
95	+ c.add_cookie_header(req)
96	+ self.assertTrue(req.has_header("Cookie"))
97	+
98	+ req = urllib.request.Request("http://badacme.com/")
99	+ c.add_cookie_header(req)
100	+ self.assertFalse(pol.return_ok(cookies[0], req))
101	+ self.assertFalse(req.has_header("Cookie"))
102	+
103	+ p = pol.set_blocked_domains(["acme.com"])
104	+ req = urllib.request.Request("http://acme.com/")
105	+ c.add_cookie_header(req)
106	+ self.assertFalse(req.has_header("Cookie"))
107	+
108	+ req = urllib.request.Request("http://badacme.com/")
109	+ c.add_cookie_header(req)
110	+ self.assertFalse(req.has_header("Cookie"))
111	+
112	def test_secure(self):
113	for ns in True, False:
114	for whitespace in " ", "":
115	diff --git a/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
116	new file mode 100644
117	index 000000000000..d2eb8f1f352c
118	--- /dev/null
119	+++ b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
120	@@ -0,0 +1,4 @@
121	+Don't send cookies of domain A without Domain attribute to domain B
122	+when domain A is a suffix match of domain B while using a cookiejar
123	+with :class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by
124	+Karthikeyan Singaravelan.