Sync from SUSE:ALP:Source:Standard:1.0 python-WebOb revision 66730664f4833eb1b509969f9197c95f

2025-01-20 09:08:00 +01:00 · 2025-01-20 09:08:00 +01:00 · 2259c2f7b8
commit 2259c2f7b8
parent 9d80e6c979
3 changed files with 61 additions and 1 deletions
--- a/CVE-2024-42353-url-redirection.patch
+++ b/CVE-2024-42353-url-redirection.patch
@ -0,0 +1,48 @@
+From f689bcf4f0a1f64f1735b1d5069aef5be6974b5b Mon Sep 17 00:00:00 2001
+From: Delta Regeer <xistence@0x58.com>
+Date: Wed, 7 Aug 2024 11:15:35 -0600
+Subject: [PATCH] Add fix for open redirect
+
+---
+ src/webob/response.py  |  5 +++++
+ tests/test_response.py | 11 +++++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/webob/response.py b/src/webob/response.py
+index 2aad591c..efc38ecf 100644
+--- a/src/webob/response.py
+++ b/src/webob/response.py
+@@ -1284,6 +1284,11 @@ def _make_location_absolute(environ, value):
+         if SCHEME_RE.search(value):
+             return value
+ 
+        # This is to fix an open redirect issue due to the way that
+        # urlparse.urljoin works. See CVE-2024-42353 and
+        # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+        if value.startswith("//"):
+            value = "/%2f{}".format(value[2:])
+         new_location = urlparse.urljoin(_request_uri(environ), value)
+         return new_location
+ 
+diff --git a/tests/test_response.py b/tests/test_response.py
+index 9d9f9d37..8a6ac06d 100644
+--- a/tests/test_response.py
+++ b/tests/test_response.py
+@@ -1031,6 +1031,17 @@ def test_location():
+     assert req.get_response(res).location == 'http://localhost/test2.html'
+ 
+ 
+def test_location_no_open_redirect():
+    # This is a test for a fix for CVE-2024-42353 and
+    # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+    res = Response()
+    res.status = "301"
+    res.location = "//www.example.com/test"
+    assert res.location == "//www.example.com/test"
+    req = Request.blank("/")
+    assert req.get_response(res).location == "http://localhost/%2fwww.example.com/test"
+
+
+ @pytest.mark.xfail(sys.version_info < (3,0),
+                    reason="Python 2.x unicode != str, WSGI requires str. Test "
+                    "added due to https://github.com/Pylons/webob/issues/247. "
--- a/python-WebOb.changes
+++ b/python-WebOb.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Aug 19 04:47:58 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Add patch CVE-2024-42353-url-redirection.patch:
+  * The use of WebOb's Response object to redirect a request to a new location
+    can lead to an open redirect if the Location header is not a full URI.
+    (bsc#1229221, CVE-2024-42353)
+
 -------------------------------------------------------------------
 Wed Jul 26 07:20:55 UTC 2023 - Bernhard Wiedemann <bwiedemann@suse.com>

--- a/python-WebOb.spec
+++ b/python-WebOb.spec
@ -25,6 +25,10 @@ License:        MIT
 Group:          Development/Languages/Python
 URL:            http://webob.org/
 Source:         https://files.pythonhosted.org/packages/source/W/WebOb/WebOb-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM gh#Pylons/webob#1f681a4f17fc10777ef861e8b43ecb26053bc539
+# Do not generate an open redirect if the Location header is not a full URI
+# bsc#1229221, CVE-2024-42353
+Patch0:         CVE-2024-42353-url-redirection.patch
 BuildRequires:  %{python_module pytest}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  python-rpm-macros
@ -60,7 +64,7 @@ This package contains documentation files for %{name}.
 %endif

 %prep
-%setup -q -n WebOb-%{version}
+%autosetup -p1 -n WebOb-%{version}
 # gh#Pylons/webob#390 -- Thread.is_alive is present since Python 2.6, Thread.isAlive was removed in 3.9.
 sed -i 's/worker.isAlive/worker.is_alive/' tests/conftest.py