1 files changed, 0 insertions, 148 deletions
diff --git a/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch b/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch
deleted file mode 100644
index ab1b7230ea..0000000000
--- a/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch
+++ /dev/null
@@ -1,148 +0,0 @@
-From aab3e8c432b90508ac14755128f5a687be2fdf43 Mon Sep 17 00:00:00 2001
-From: Mingli Yu <Mingli.Yu@windriver.com>
-Date: Thu, 22 Sep 2016 16:39:49 +0800
-Subject: [PATCH] python3: fix CVE-2016-1000110
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
-indicates that the script is in CGI mode.
-Issue #27568 Reported and patch contributed by Rémi Rampin. [#27568]
-Backport patch from https://hg.python.org/cpython/rev/a0ac52ed8f79
-Upstream-Status: Backport
-CVE: CVE-2016-1000110
-Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
---
- Doc/howto/urllib2.rst          |  5 +++++
- Doc/library/urllib.request.rst | 17 ++++++++++++++++-
- Lib/test/test_urllib.py        | 14 +++++++++++++-
- Lib/urllib/request.py          |  6 ++++++
- Misc/NEWS                      |  4 ++++
- 5 files changed, 44 insertions(+), 2 deletions(-)
-diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
-index 24a4156..d2c7991 100644
--- a/Doc/howto/urllib2.rst
-+++ b/Doc/howto/urllib2.rst
-@@ -538,6 +538,11 @@ setting up a `Basic Authentication`_ handler: ::
-     through a proxy.  However, this can be enabled by extending urllib.request as
-     shown in the recipe [#]_.
- 
-+.. note::
-+
-+    ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
-+    the documentation on :func:`~urllib.request.getproxies`.
-+
- 
- Sockets and Layers
- ==================
-diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
-index 1338906..1291aeb 100644
--- a/Doc/library/urllib.request.rst
-+++ b/Doc/library/urllib.request.rst
-@@ -173,6 +173,16 @@ The :mod:`urllib.request` module defines the following functions:
-    If both lowercase and uppercase environment variables exist (and disagree),
-    lowercase is preferred.
- 
-+    .. note::
-+
-+       If the environment variable ``REQUEST_METHOD`` is set, which usually
-+       indicates your script is running in a CGI environment, the environment
-+       variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
-+       because that variable can be injected by a client using the "Proxy:" HTTP
-+       header. If you need to use an HTTP proxy in a CGI environment, either use
-+       ``ProxyHandler`` explicitly, or make sure the variable name is in
-+       lowercase (or at least the ``_proxy`` suffix).
-+
- 
- The following classes are provided:
- 
-@@ -280,6 +290,11 @@ The following classes are provided:
-    list of hostname suffixes, optionally with ``:port`` appended, for example
-    ``cern.ch,ncsa.uiuc.edu,some.host:8080``.
- 
-+    .. note::
-+
-+       ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
-+       see the documentation on :func:`~urllib.request.getproxies`.
-+
- 
- .. class:: HTTPPasswordMgr()
- 
-@@ -1138,7 +1153,7 @@ the returned bytes object to string once it determines or guesses
- the appropriate encoding.
- 
- The following W3C document, https://www.w3.org/International/O-charset\ , lists
-the various ways in which a (X)HTML or a XML document could have specified its
-+the various ways in which an (X)HTML or an XML document could have specified its
- encoding information.
- 
- As the python.org website uses *utf-8* encoding as specified in its meta tag, we
-diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
-index 5d05f8d..247598a 100644
--- a/Lib/test/test_urllib.py
-+++ b/Lib/test/test_urllib.py
-@@ -1,4 +1,4 @@
-"""Regresssion tests for what was in Python 2's "urllib" module"""
-+"""Regression tests for what was in Python 2's "urllib" module"""
- 
- import urllib.parse
- import urllib.request
-@@ -232,6 +232,18 @@ class ProxyTests(unittest.TestCase):
-         self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com:8888'))
-         self.assertTrue(urllib.request.proxy_bypass_environment('newdomain.com:1234'))
- 
-+    def test_proxy_cgi_ignore(self):
-+        try:
-+            self.env.set('HTTP_PROXY', 'http://somewhere:3128')
-+            proxies = urllib.request.getproxies_environment()
-+            self.assertEqual('http://somewhere:3128', proxies['http'])
-+            self.env.set('REQUEST_METHOD', 'GET')
-+            proxies = urllib.request.getproxies_environment()
-+            self.assertNotIn('http', proxies)
-+        finally:
-+            self.env.unset('REQUEST_METHOD')
-+            self.env.unset('HTTP_PROXY')
-+
-     def test_proxy_bypass_environment_host_match(self):
-         bypass = urllib.request.proxy_bypass_environment
-         self.env.set('NO_PROXY',
-diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
-index 1731fe3..3be327d 100644
--- a/Lib/urllib/request.py
-+++ b/Lib/urllib/request.py
-@@ -2412,6 +2412,12 @@ def getproxies_environment():
-         name = name.lower()
-         if value and name[-6:] == '_proxy':
-             proxies[name[:-6]] = value
-+    # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
-+    # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
-+    # header from the client
-+    # If "proxy" is lowercase, it will still be used thanks to the next block
-+    if 'REQUEST_METHOD' in os.environ:
-+        proxies.pop('http', None)
-     for name, value in os.environ.items():
-         if name[-6:] == '_proxy':
-             name = name.lower()
-diff --git a/Misc/NEWS b/Misc/NEWS
-index 4ad2551..2fcc95b 100644
--- a/Misc/NEWS
-+++ b/Misc/NEWS
-@@ -329,6 +329,10 @@ Library
- - Issue #26644: Raise ValueError rather than SystemError when a negative
-   length is passed to SSLSocket.recv() or read().
- 
-+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
-+  HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
-+  that the script is in CGI mode.
-+
- - Issue #23804: Fix SSL recv(0) and read(0) methods to return zero bytes
-   instead of up to 1024.
- 
-- 
-2.8.1

diff --git a/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch b/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch deleted file mode 100644 index ab1b7230ea..0000000000 --- a/meta/recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch +++ /dev/null
@@ -1,148 +0,0 @@
1	From aab3e8c432b90508ac14755128f5a687be2fdf43 Mon Sep 17 00:00:00 2001
2	From: Mingli Yu <Mingli.Yu@windriver.com>
3	Date: Thu, 22 Sep 2016 16:39:49 +0800
4	Subject: [PATCH] python3: fix CVE-2016-1000110
5	MIME-Version: 1.0
6	Content-Type: text/plain; charset=UTF-8
7	Content-Transfer-Encoding: 8bit
8
9	Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
10	indicates that the script is in CGI mode.
11
12	Issue #27568 Reported and patch contributed by Rémi Rampin. [#27568]
13
14	Backport patch from https://hg.python.org/cpython/rev/a0ac52ed8f79
15
16	Upstream-Status: Backport
17	CVE: CVE-2016-1000110
18	Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
19	---
20	Doc/howto/urllib2.rst \| 5 +++++
21	Doc/library/urllib.request.rst \| 17 ++++++++++++++++-
22	Lib/test/test_urllib.py \| 14 +++++++++++++-
23	Lib/urllib/request.py \| 6 ++++++
24	Misc/NEWS \| 4 ++++
25	5 files changed, 44 insertions(+), 2 deletions(-)
26
27	diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
28	index 24a4156..d2c7991 100644
29	--- a/Doc/howto/urllib2.rst
30	+++ b/Doc/howto/urllib2.rst
31	@@ -538,6 +538,11 @@ setting up a `Basic Authentication`_ handler: ::
32	through a proxy. However, this can be enabled by extending urllib.request as
33	shown in the recipe [#]_.
34
35	+.. note::
36	+
37	+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
38	+ the documentation on :func:`~urllib.request.getproxies`.
39	+
40
41	Sockets and Layers
42	==================
43	diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
44	index 1338906..1291aeb 100644
45	--- a/Doc/library/urllib.request.rst
46	+++ b/Doc/library/urllib.request.rst
47	@@ -173,6 +173,16 @@ The :mod:`urllib.request` module defines the following functions:
48	If both lowercase and uppercase environment variables exist (and disagree),
49	lowercase is preferred.
50
51	+ .. note::
52	+
53	+ If the environment variable ``REQUEST_METHOD`` is set, which usually
54	+ indicates your script is running in a CGI environment, the environment
55	+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
56	+ because that variable can be injected by a client using the "Proxy:" HTTP
57	+ header. If you need to use an HTTP proxy in a CGI environment, either use
58	+ ``ProxyHandler`` explicitly, or make sure the variable name is in
59	+ lowercase (or at least the ``_proxy`` suffix).
60	+
61
62	The following classes are provided:
63
64	@@ -280,6 +290,11 @@ The following classes are provided:
65	list of hostname suffixes, optionally with ``:port`` appended, for example
66	``cern.ch,ncsa.uiuc.edu,some.host:8080``.
67
68	+ .. note::
69	+
70	+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
71	+ see the documentation on :func:`~urllib.request.getproxies`.
72	+
73
74	.. class:: HTTPPasswordMgr()
75
76	@@ -1138,7 +1153,7 @@ the returned bytes object to string once it determines or guesses
77	the appropriate encoding.
78
79	The following W3C document, https://www.w3.org/International/O-charset\ , lists
80	-the various ways in which a (X)HTML or a XML document could have specified its
81	+the various ways in which an (X)HTML or an XML document could have specified its
82	encoding information.
83
84	As the python.org website uses utf-8 encoding as specified in its meta tag, we
85	diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
86	index 5d05f8d..247598a 100644
87	--- a/Lib/test/test_urllib.py
88	+++ b/Lib/test/test_urllib.py
89	@@ -1,4 +1,4 @@
90	-"""Regresssion tests for what was in Python 2's "urllib" module"""
91	+"""Regression tests for what was in Python 2's "urllib" module"""
92
93	import urllib.parse
94	import urllib.request
95	@@ -232,6 +232,18 @@ class ProxyTests(unittest.TestCase):
96	self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com:8888'))
97	self.assertTrue(urllib.request.proxy_bypass_environment('newdomain.com:1234'))
98
99	+ def test_proxy_cgi_ignore(self):
100	+ try:
101	+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
102	+ proxies = urllib.request.getproxies_environment()
103	+ self.assertEqual('http://somewhere:3128', proxies['http'])
104	+ self.env.set('REQUEST_METHOD', 'GET')
105	+ proxies = urllib.request.getproxies_environment()
106	+ self.assertNotIn('http', proxies)
107	+ finally:
108	+ self.env.unset('REQUEST_METHOD')
109	+ self.env.unset('HTTP_PROXY')
110	+
111	def test_proxy_bypass_environment_host_match(self):
112	bypass = urllib.request.proxy_bypass_environment
113	self.env.set('NO_PROXY',
114	diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
115	index 1731fe3..3be327d 100644
116	--- a/Lib/urllib/request.py
117	+++ b/Lib/urllib/request.py
118	@@ -2412,6 +2412,12 @@ def getproxies_environment():
119	name = name.lower()
120	if value and name[-6:] == '_proxy':
121	proxies[name[:-6]] = value
122	+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
123	+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
124	+ # header from the client
125	+ # If "proxy" is lowercase, it will still be used thanks to the next block
126	+ if 'REQUEST_METHOD' in os.environ:
127	+ proxies.pop('http', None)
128	for name, value in os.environ.items():
129	if name[-6:] == '_proxy':
130	name = name.lower()
131	diff --git a/Misc/NEWS b/Misc/NEWS
132	index 4ad2551..2fcc95b 100644
133	--- a/Misc/NEWS
134	+++ b/Misc/NEWS
135	@@ -329,6 +329,10 @@ Library
136	- Issue #26644: Raise ValueError rather than SystemError when a negative
137	length is passed to SSLSocket.recv() or read().
138
139	+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
140	+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
141	+ that the script is in CGI mode.
142	+
143	- Issue #23804: Fix SSL recv(0) and read(0) methods to return zero bytes
144	instead of up to 1024.
145
146	--
147	2.8.1
148