From bf8d577f1d8fb8e3c5744cc483d1c685cb04f333 Mon Sep 17 00:00:00 2001 From: Joshua Lock Date: Thu, 13 Oct 2011 12:02:22 -0700 Subject: python: fix CVE-2011-1015 This patch adds a backported security fix from upstream for CVE-2011-1015 to address a vulnerability in the CGIHTTPServer module. Signed-off-by: Joshua Lock --- .../python/python/fix-cgi-http-server.patch | 176 +++++++++++++++++++++ meta/recipes-devtools/python/python_2.6.6.bb | 3 +- 2 files changed, 178 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/python/python/fix-cgi-http-server.patch (limited to 'meta/recipes-devtools') diff --git a/meta/recipes-devtools/python/python/fix-cgi-http-server.patch b/meta/recipes-devtools/python/python/fix-cgi-http-server.patch new file mode 100644 index 0000000000..5df0fa5048 --- /dev/null +++ b/meta/recipes-devtools/python/python/fix-cgi-http-server.patch @@ -0,0 +1,176 @@ +This patch is taken from upstream and is a fix for CVE CVE-2011-1015 + +Upstream-Status: Backport + +Signed-off-by: Joshua Lock + +# HG changeset patch +# User Gregory P. Smith +# Date 1238999606 0 +# Node ID c6c4398293bd682b355f1050bb16bb3e18c8b40f +# Parent e363958fcd70a43ad07b39df999552d0fa1cefc1 +- Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are + now collapsed within the url properly before looking in cgi_directories. + +Index: Python-2.6.6/Lib/CGIHTTPServer.py +=================================================================== +--- Python-2.6.6.orig/Lib/CGIHTTPServer.py 2009-11-11 09:24:53.000000000 -0800 ++++ Python-2.6.6/Lib/CGIHTTPServer.py 2011-10-13 13:51:33.815347721 -0700 +@@ -70,27 +70,20 @@ + return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self) + + def is_cgi(self): +- """Test whether self.path corresponds to a CGI script, +- and return a boolean. ++ """Test whether self.path corresponds to a CGI script. + +- This function sets self.cgi_info to a tuple (dir, rest) +- when it returns True, where dir is the directory part before +- the CGI script name. Note that rest begins with a +- slash if it is not empty. +- +- The default implementation tests whether the path +- begins with one of the strings in the list +- self.cgi_directories (and the next character is a '/' +- or the end of the string). ++ Returns True and updates the cgi_info attribute to the tuple ++ (dir, rest) if self.path requires running a CGI script. ++ Returns False otherwise. ++ ++ The default implementation tests whether the normalized url ++ path begins with one of the strings in self.cgi_directories ++ (and the next character is a '/' or the end of the string). + """ +- +- path = self.path +- +- for x in self.cgi_directories: +- i = len(x) +- if path[:i] == x and (not path[i:] or path[i] == '/'): +- self.cgi_info = path[:i], path[i+1:] +- return True ++ splitpath = _url_collapse_path_split(self.path) ++ if splitpath[0] in self.cgi_directories: ++ self.cgi_info = splitpath ++ return True + return False + + cgi_directories = ['/cgi-bin', '/htbin'] +@@ -299,6 +292,46 @@ + self.log_message("CGI script exited OK") + + ++# TODO(gregory.p.smith): Move this into an appropriate library. ++def _url_collapse_path_split(path): ++ """ ++ Given a URL path, remove extra '/'s and '.' path elements and collapse ++ any '..' references. ++ ++ Implements something akin to RFC-2396 5.2 step 6 to parse relative paths. ++ ++ Returns: A tuple of (head, tail) where tail is everything after the final / ++ and head is everything before it. Head will always start with a '/' and, ++ if it contains anything else, never have a trailing '/'. ++ ++ Raises: IndexError if too many '..' occur within the path. ++ """ ++ # Similar to os.path.split(os.path.normpath(path)) but specific to URL ++ # path semantics rather than local operating system semantics. ++ path_parts = [] ++ for part in path.split('/'): ++ if part == '.': ++ path_parts.append('') ++ else: ++ path_parts.append(part) ++ # Filter out blank non trailing parts before consuming the '..'. ++ path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:] ++ if path_parts: ++ tail_part = path_parts.pop() ++ else: ++ tail_part = '' ++ head_parts = [] ++ for part in path_parts: ++ if part == '..': ++ head_parts.pop() ++ else: ++ head_parts.append(part) ++ if tail_part and tail_part == '..': ++ head_parts.pop() ++ tail_part = '' ++ return ('/' + '/'.join(head_parts), tail_part) ++ ++ + nobody = None + + def nobody_uid(): +Index: Python-2.6.6/Lib/test/test_httpservers.py +=================================================================== +--- Python-2.6.6.orig/Lib/test/test_httpservers.py 2010-04-25 15:09:32.000000000 -0700 ++++ Python-2.6.6/Lib/test/test_httpservers.py 2011-10-13 13:51:33.815347721 -0700 +@@ -7,6 +7,7 @@ + from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer + from SimpleHTTPServer import SimpleHTTPRequestHandler + from CGIHTTPServer import CGIHTTPRequestHandler ++import CGIHTTPServer + + import os + import sys +@@ -324,6 +325,45 @@ + finally: + BaseTestCase.tearDown(self) + ++ def test_url_collapse_path_split(self): ++ test_vectors = { ++ '': ('/', ''), ++ '..': IndexError, ++ '/.//..': IndexError, ++ '/': ('/', ''), ++ '//': ('/', ''), ++ '/\\': ('/', '\\'), ++ '/.//': ('/', ''), ++ 'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'), ++ '/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'), ++ 'a': ('/', 'a'), ++ '/a': ('/', 'a'), ++ '//a': ('/', 'a'), ++ './a': ('/', 'a'), ++ './C:/': ('/C:', ''), ++ '/a/b': ('/a', 'b'), ++ '/a/b/': ('/a/b', ''), ++ '/a/b/c/..': ('/a/b', ''), ++ '/a/b/c/../d': ('/a/b', 'd'), ++ '/a/b/c/../d/e/../f': ('/a/b/d', 'f'), ++ '/a/b/c/../d/e/../../f': ('/a/b', 'f'), ++ '/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'), ++ '../a/b/c/../d/e/.././././..//f': IndexError, ++ '/a/b/c/../d/e/../../../f': ('/a', 'f'), ++ '/a/b/c/../d/e/../../../../f': ('/', 'f'), ++ '/a/b/c/../d/e/../../../../../f': IndexError, ++ '/a/b/c/../d/e/../../../../f/..': ('/', ''), ++ } ++ for path, expected in test_vectors.iteritems(): ++ if isinstance(expected, type) and issubclass(expected, Exception): ++ self.assertRaises(expected, ++ CGIHTTPServer._url_collapse_path_split, path) ++ else: ++ actual = CGIHTTPServer._url_collapse_path_split(path) ++ self.assertEquals(expected, actual, ++ msg='path = %r\nGot: %r\nWanted: %r' % ( ++ path, actual, expected)) ++ + def test_headers_and_content(self): + res = self.request('/cgi-bin/file1.py') + self.assertEquals(('Hello World\n', 'text/html', 200), \ +@@ -348,6 +388,12 @@ + self.assertEquals(('Hello World\n', 'text/html', 200), \ + (res.read(), res.getheader('Content-type'), res.status)) + ++ def test_no_leading_slash(self): ++ # http://bugs.python.org/issue2254 ++ res = self.request('cgi-bin/file1.py') ++ self.assertEquals(('Hello World\n', 'text/html', 200), ++ (res.read(), res.getheader('Content-type'), res.status)) ++ + + def test_main(verbose=None): + cwd = os.getcwd() diff --git a/meta/recipes-devtools/python/python_2.6.6.bb b/meta/recipes-devtools/python/python_2.6.6.bb index b0438fe164..59493f34ec 100644 --- a/meta/recipes-devtools/python/python_2.6.6.bb +++ b/meta/recipes-devtools/python/python_2.6.6.bb @@ -1,7 +1,7 @@ require python.inc DEPENDS = "python-native db gdbm openssl readline sqlite3 zlib" DEPENDS_sharprom = "python-native db readline zlib gdbm openssl" -PR = "${INC_PR}.2" +PR = "${INC_PR}.3" LIC_FILES_CHKSUM = "file://LICENSE;md5=38fdd546420fab09ac6bd3d8a1c83eb6" DISTRO_SRC_URI ?= "file://sitecustomize.py" @@ -17,6 +17,7 @@ SRC_URI = "\ file://06-avoid_usr_lib_termcap_path_in_linking.patch \ file://07-linux3-regen-fix.patch \ file://99-ignore-optimization-flag.patch \ + file://fix-cgi-http-server.patch \ ${DISTRO_SRC_URI} \ " -- cgit v1.2.3-54-g00ecf