summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/python/python/CVE-2016-1000110.patch
blob: 8fd6c457bdc5a7beb481d3e42d61ac7195b59542 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# HG changeset patch
# User Senthil Kumaran <senthil@uthcode.com>
# Date 1469882993 25200
# Node ID ba915d561667fa0584ad89f8d5a844fd43803c0d
# Parent  c8c1ea94379a7706638f1571988576d504d7fc98
Prevent HTTPoxy attack (CVE-2016-1000110)

Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.

Issue reported and patch contributed by Rémi Rampin.

Upstream-Status: Backport
CVE: CVE-2016-1000110
Signed-off-by: Armin Kuster <akuster@mvista.com>

Index: Python-2.7.9/Doc/howto/urllib2.rst
===================================================================
--- Python-2.7.9.orig/Doc/howto/urllib2.rst
+++ Python-2.7.9/Doc/howto/urllib2.rst
@@ -523,6 +523,11 @@ setting up a `Basic Authentication`_ han
     through a proxy.  However, this can be enabled by extending urllib2 as
     shown in the recipe [#]_.
 
+.. note::
+
+    ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
+    the documentation on :func:`~urllib.getproxies`.
+
 
 Sockets and Layers
 ==================
Index: Python-2.7.9/Doc/library/urllib.rst
===================================================================
--- Python-2.7.9.orig/Doc/library/urllib.rst
+++ Python-2.7.9/Doc/library/urllib.rst
@@ -288,6 +288,16 @@ Utility functions
    find it, looks for proxy information from Mac OSX System Configuration for
    Mac OS X and Windows Systems Registry for Windows.
 
+    .. note::
+
+        If the environment variable ``REQUEST_METHOD`` is set, which usually
+        indicates your script is running in a CGI environment, the environment
+        variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
+        because that variable can be injected by a client using the "Proxy:"
+        HTTP header. If you need to use an HTTP proxy in a CGI environment,
+        either use ``ProxyHandler`` explicitly, or make sure the variable name
+        is in lowercase (or at least the ``_proxy`` suffix).
+
 .. note::
     urllib also exposes certain utility functions like splittype, splithost and
     others parsing url into various components. But it is recommended to use
Index: Python-2.7.9/Doc/library/urllib2.rst
===================================================================
--- Python-2.7.9.orig/Doc/library/urllib2.rst
+++ Python-2.7.9/Doc/library/urllib2.rst
@@ -224,6 +224,11 @@ The following classes are provided:
 
    To disable autodetected proxy pass an empty dictionary.
 
+    .. note::
+
+       ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
+       see the documentation on :func:`~urllib.getproxies`.
+
 
 .. class:: HTTPPasswordMgr()
 
Index: Python-2.7.9/Misc/ACKS
===================================================================
--- Python-2.7.9.orig/Misc/ACKS
+++ Python-2.7.9/Misc/ACKS
@@ -1090,6 +1090,7 @@ Jérôme Radix
 Burton Radons
 Jeff Ramnani
 Brodie Rao
+Rémi Rampin
 Senko Rasic
 Antti Rasinen
 Nikolaus Rath
Index: Python-2.7.9/Lib/urllib.py
===================================================================
--- Python-2.7.9.orig/Lib/urllib.py
+++ Python-2.7.9/Lib/urllib.py
@@ -1373,11 +1373,20 @@ def getproxies_environment():
     [Fancy]URLopener constructor.
 
     """
+    # Get all variables
     proxies = {}
     for name, value in os.environ.items():
         name = name.lower()
         if value and name[-6:] == '_proxy':
             proxies[name[:-6]] = value
+
+    # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
+    # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
+    # header from the client
+    # If "proxy" is lowercase, it will still be used thanks to the next block
+    if 'REQUEST_METHOD' in os.environ:
+        proxies.pop('http', None)
+
     return proxies
 
 def proxy_bypass_environment(host):
Index: Python-2.7.9/Lib/test/test_urllib.py
===================================================================
--- Python-2.7.9.orig/Lib/test/test_urllib.py
+++ Python-2.7.9/Lib/test/test_urllib.py
@@ -161,6 +161,18 @@ class ProxyTests(unittest.TestCase):
         self.env.set('NO_PROXY', 'localhost, anotherdomain.com, newdomain.com')
         self.assertTrue(urllib.proxy_bypass_environment('anotherdomain.com'))
 
+    def test_proxy_cgi_ignore(self):
+        try:
+            self.env.set('HTTP_PROXY', 'http://somewhere:3128')
+            proxies = urllib.getproxies_environment()
+            self.assertEqual('http://somewhere:3128', proxies['http'])
+            self.env.set('REQUEST_METHOD', 'GET')
+            proxies = urllib.getproxies_environment()
+            self.assertNotIn('http', proxies)
+        finally:
+            self.env.unset('REQUEST_METHOD')
+            self.env.unset('HTTP_PROXY')
+
 
 class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin):
     """Test urlopen() opening a fake http connection."""
Index: Python-2.7.9/Misc/NEWS
===================================================================
--- Python-2.7.9.orig/Misc/NEWS
+++ Python-2.7.9/Misc/NEWS
@@ -13,6 +13,10 @@ What's New in Python 2.7.9?
 Library
 -------
 
+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
+  HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
+  that the script is in CGI mode.
+
 - Issue #22928: Disabled HTTP header injections in httplib.
   Original patch by Demian Brecht.