python3: fix CVE-2018-20852 CVE-2019-9636

(From OE-Core rev: eb415873caad54dbf332f9ebf5f3164da3459953) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2019-07-26 12:47:28 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-29 23:50:49 +0100
commit: 9773b89a2f371acbe1e40d7cef6afb6c2a24f9c5 (patch)
tree: 59d4cea678afa7d5f8494207b502cf8a3cbdffea /meta/recipes-devtools/python/python3/CVE-2018-20852.patch
parent: b692ba5eafbcc08a55866936a51f7643e077cc44 (diff)
download: poky-9773b89a2f371acbe1e40d7cef6afb6c2a24f9c5.tar.gz
1 files changed, 124 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch
new file mode 100644
index 0000000000..ff671d3fab
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch
@@ -0,0 +1,124 @@
+From e5123d81ffb3be35a1b2767d6ced1a097aaf77be Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Sat, 9 Mar 2019 18:58:25 -0800
+Subject: [PATCH] bpo-35121: prefix dot in domain for proper subdomain
+ validation (GH-10258) (GH-12261)
+Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy.  Patch by Karthikeyan Singaravelan.
+(cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14)
+Co-authored-by: Xtreak <tir.karthi@gmail.com>
+Upstream-Status: Backport
+CVE: CVE-2018-20852
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> 
+---
+ Lib/http/cookiejar.py                         | 13 ++++++--
+ Lib/test/test_http_cookiejar.py               | 30 +++++++++++++++++++
+ .../2018-10-31-15-39-17.bpo-35121.EgHv9k.rst  |  4 +++
+ 3 files changed, 45 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
+diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py
+index e0f1032b2816..00cb1250a07e 100644
+--- a/Lib/http/cookiejar.py
+++ b/Lib/http/cookiejar.py
+@@ -1145,6 +1145,11 @@ def return_ok_domain(self, cookie, request):
+         req_host, erhn = eff_request_host(request)
+         domain = cookie.domain
+ 
+        if domain and not domain.startswith("."):
+            dotdomain = "." + domain
+        else:
+            dotdomain = domain
+
+         # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
+         if (cookie.version == 0 and
+             (self.strict_ns_domain & self.DomainStrictNonDomain) and
+@@ -1157,7 +1162,7 @@ def return_ok_domain(self, cookie, request):
+             _debug("   effective request-host name %s does not domain-match "
+                    "RFC 2965 cookie domain %s", erhn, domain)
+             return False
+-        if cookie.version == 0 and not ("."+erhn).endswith(domain):
+        if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
+             _debug("   request-host %s does not match Netscape cookie domain "
+                    "%s", req_host, domain)
+             return False
+@@ -1171,7 +1176,11 @@ def domain_return_ok(self, domain, request):
+             req_host = "."+req_host
+         if not erhn.startswith("."):
+             erhn = "."+erhn
+-        if not (req_host.endswith(domain) or erhn.endswith(domain)):
+        if domain and not domain.startswith("."):
+            dotdomain = "." + domain
+        else:
+            dotdomain = domain
+        if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
+             #_debug("   request domain %s does not match cookie domain %s",
+             #       req_host, domain)
+             return False
+diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py
+index abc625d672a7..6e1b30881310 100644
+--- a/Lib/test/test_http_cookiejar.py
+++ b/Lib/test/test_http_cookiejar.py
+@@ -415,6 +415,7 @@ def test_domain_return_ok(self):
+             ("http://foo.bar.com/", ".foo.bar.com", True),
+             ("http://foo.bar.com/", "foo.bar.com", True),
+             ("http://foo.bar.com/", ".bar.com", True),
+            ("http://foo.bar.com/", "bar.com", True),
+             ("http://foo.bar.com/", "com", True),
+             ("http://foo.com/", "rhubarb.foo.com", False),
+             ("http://foo.com/", ".foo.com", True),
+@@ -425,6 +426,8 @@ def test_domain_return_ok(self):
+             ("http://foo/", "foo", True),
+             ("http://foo/", "foo.local", True),
+             ("http://foo/", ".local", True),
+            ("http://barfoo.com", ".foo.com", False),
+            ("http://barfoo.com", "foo.com", False),
+             ]:
+             request = urllib.request.Request(url)
+             r = pol.domain_return_ok(domain, request)
+@@ -959,6 +962,33 @@ def test_domain_block(self):
+         c.add_cookie_header(req)
+         self.assertFalse(req.has_header("Cookie"))
+ 
+        c.clear()
+
+        pol.set_blocked_domains([])
+        req = urllib.request.Request("http://acme.com/")
+        res = FakeResponse(headers, "http://acme.com/")
+        cookies = c.make_cookies(res, req)
+        c.extract_cookies(res, req)
+        self.assertEqual(len(c), 1)
+
+        req = urllib.request.Request("http://acme.com/")
+        c.add_cookie_header(req)
+        self.assertTrue(req.has_header("Cookie"))
+
+        req = urllib.request.Request("http://badacme.com/")
+        c.add_cookie_header(req)
+        self.assertFalse(pol.return_ok(cookies[0], req))
+        self.assertFalse(req.has_header("Cookie"))
+
+        p = pol.set_blocked_domains(["acme.com"])
+        req = urllib.request.Request("http://acme.com/")
+        c.add_cookie_header(req)
+        self.assertFalse(req.has_header("Cookie"))
+
+        req = urllib.request.Request("http://badacme.com/")
+        c.add_cookie_header(req)
+        self.assertFalse(req.has_header("Cookie"))
+
+     def test_secure(self):
+         for ns in True, False:
+             for whitespace in " ", "":
+diff --git a/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
+new file mode 100644
+index 000000000000..d2eb8f1f352c
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
+@@ -0,0 +1,4 @@
+Don't send cookies of domain A without Domain attribute to domain B
+when domain A is a suffix match of domain B while using a cookiejar
+with :class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by
+Karthikeyan Singaravelan.
author	Anuj Mittal <anuj.mittal@intel.com>	2019-07-26 12:47:28 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-29 23:50:49 +0100
commit	9773b89a2f371acbe1e40d7cef6afb6c2a24f9c5 (patch)
tree	59d4cea678afa7d5f8494207b502cf8a3cbdffea /meta/recipes-devtools/python/python3/CVE-2018-20852.patch
parent	b692ba5eafbcc08a55866936a51f7643e077cc44 (diff)
download	poky-9773b89a2f371acbe1e40d7cef6afb6c2a24f9c5.tar.gz

diff --git a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch new file mode 100644 index 0000000000..ff671d3fab --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch
@@ -0,0 +1,124 @@
	1	From e5123d81ffb3be35a1b2767d6ced1a097aaf77be Mon Sep 17 00:00:00 2001
	2	From: "Miss Islington (bot)"
	3	<31488909+miss-islington@users.noreply.github.com>
	4	Date: Sat, 9 Mar 2019 18:58:25 -0800
	5	Subject: [PATCH] bpo-35121: prefix dot in domain for proper subdomain
	6	validation (GH-10258) (GH-12261)
	7
	8	Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan.
	9	(cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14)
	10
	11	Co-authored-by: Xtreak <tir.karthi@gmail.com>
	12	Upstream-Status: Backport
	13	CVE: CVE-2018-20852
	14	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
	15	---
	16	Lib/http/cookiejar.py \| 13 ++++++--
	17	Lib/test/test_http_cookiejar.py \| 30 +++++++++++++++++++
	18	.../2018-10-31-15-39-17.bpo-35121.EgHv9k.rst \| 4 +++
	19	3 files changed, 45 insertions(+), 2 deletions(-)
	20	create mode 100644 Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
	21
	22	diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py
	23	index e0f1032b2816..00cb1250a07e 100644
	24	--- a/Lib/http/cookiejar.py
	25	+++ b/Lib/http/cookiejar.py
	26	@@ -1145,6 +1145,11 @@ def return_ok_domain(self, cookie, request):
	27	req_host, erhn = eff_request_host(request)
	28	domain = cookie.domain
	29
	30	+ if domain and not domain.startswith("."):
	31	+ dotdomain = "." + domain
	32	+ else:
	33	+ dotdomain = domain
	34	+
	35	# strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
	36	if (cookie.version == 0 and
	37	(self.strict_ns_domain & self.DomainStrictNonDomain) and
	38	@@ -1157,7 +1162,7 @@ def return_ok_domain(self, cookie, request):
	39	_debug(" effective request-host name %s does not domain-match "
	40	"RFC 2965 cookie domain %s", erhn, domain)
	41	return False
	42	- if cookie.version == 0 and not ("."+erhn).endswith(domain):
	43	+ if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
	44	_debug(" request-host %s does not match Netscape cookie domain "
	45	"%s", req_host, domain)
	46	return False
	47	@@ -1171,7 +1176,11 @@ def domain_return_ok(self, domain, request):
	48	req_host = "."+req_host
	49	if not erhn.startswith("."):
	50	erhn = "."+erhn
	51	- if not (req_host.endswith(domain) or erhn.endswith(domain)):
	52	+ if domain and not domain.startswith("."):
	53	+ dotdomain = "." + domain
	54	+ else:
	55	+ dotdomain = domain
	56	+ if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
	57	#_debug(" request domain %s does not match cookie domain %s",
	58	# req_host, domain)
	59	return False
	60	diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py
	61	index abc625d672a7..6e1b30881310 100644
	62	--- a/Lib/test/test_http_cookiejar.py
	63	+++ b/Lib/test/test_http_cookiejar.py
	64	@@ -415,6 +415,7 @@ def test_domain_return_ok(self):
	65	("http://foo.bar.com/", ".foo.bar.com", True),
	66	("http://foo.bar.com/", "foo.bar.com", True),
	67	("http://foo.bar.com/", ".bar.com", True),
	68	+ ("http://foo.bar.com/", "bar.com", True),
	69	("http://foo.bar.com/", "com", True),
	70	("http://foo.com/", "rhubarb.foo.com", False),
	71	("http://foo.com/", ".foo.com", True),
	72	@@ -425,6 +426,8 @@ def test_domain_return_ok(self):
	73	("http://foo/", "foo", True),
	74	("http://foo/", "foo.local", True),
	75	("http://foo/", ".local", True),
	76	+ ("http://barfoo.com", ".foo.com", False),
	77	+ ("http://barfoo.com", "foo.com", False),
	78	]:
	79	request = urllib.request.Request(url)
	80	r = pol.domain_return_ok(domain, request)
	81	@@ -959,6 +962,33 @@ def test_domain_block(self):
	82	c.add_cookie_header(req)
	83	self.assertFalse(req.has_header("Cookie"))
	84
	85	+ c.clear()
	86	+
	87	+ pol.set_blocked_domains([])
	88	+ req = urllib.request.Request("http://acme.com/")
	89	+ res = FakeResponse(headers, "http://acme.com/")
	90	+ cookies = c.make_cookies(res, req)
	91	+ c.extract_cookies(res, req)
	92	+ self.assertEqual(len(c), 1)
	93	+
	94	+ req = urllib.request.Request("http://acme.com/")
	95	+ c.add_cookie_header(req)
	96	+ self.assertTrue(req.has_header("Cookie"))
	97	+
	98	+ req = urllib.request.Request("http://badacme.com/")
	99	+ c.add_cookie_header(req)
	100	+ self.assertFalse(pol.return_ok(cookies[0], req))
	101	+ self.assertFalse(req.has_header("Cookie"))
	102	+
	103	+ p = pol.set_blocked_domains(["acme.com"])
	104	+ req = urllib.request.Request("http://acme.com/")
	105	+ c.add_cookie_header(req)
	106	+ self.assertFalse(req.has_header("Cookie"))
	107	+
	108	+ req = urllib.request.Request("http://badacme.com/")
	109	+ c.add_cookie_header(req)
	110	+ self.assertFalse(req.has_header("Cookie"))
	111	+
	112	def test_secure(self):
	113	for ns in True, False:
	114	for whitespace in " ", "":
	115	diff --git a/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
	116	new file mode 100644
	117	index 000000000000..d2eb8f1f352c
	118	--- /dev/null
	119	+++ b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
	120	@@ -0,0 +1,4 @@
	121	+Don't send cookies of domain A without Domain attribute to domain B
	122	+when domain A is a suffix match of domain B while using a cookiejar
	123	+with :class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by
	124	+Karthikeyan Singaravelan.