Sync from SUSE:SLFO:Main python311 revision bd02c02df23ed668068d7b37e8bbf27b
This commit is contained in:
parent
770b9661f8
commit
9139e7eb83
238
CVE-2024-6232-ReDOS-backtrack-tarfile.patch
Normal file
238
CVE-2024-6232-ReDOS-backtrack-tarfile.patch
Normal file
@ -0,0 +1,238 @@
|
||||
From b7431133441a92670132600e5af78b64dd25539b Mon Sep 17 00:00:00 2001
|
||||
From: Seth Michael Larson <seth@python.org>
|
||||
Date: Sat, 31 Aug 2024 17:17:05 -0500
|
||||
Subject: [PATCH] [3.11] gh-121285: Remove backtracking when parsing tarfile
|
||||
headers (GH-121286)
|
||||
|
||||
* Remove backtracking when parsing tarfile headers
|
||||
* Rewrite PAX header parsing to be stricter
|
||||
* Optimize parsing of GNU extended sparse headers v0.0
|
||||
|
||||
(cherry picked from commit 34ddb64d088dd7ccc321f6103d23153256caa5d4)
|
||||
|
||||
Co-authored-by: Seth Michael Larson <seth@python.org>
|
||||
Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru>
|
||||
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
||||
---
|
||||
Lib/tarfile.py | 105 ++++++----
|
||||
Lib/test/test_tarfile.py | 42 ++++
|
||||
Misc/NEWS.d/next/Security/2024-07-02-13-39-20.gh-issue-121285.hrl-yI.rst | 2
|
||||
3 files changed, 111 insertions(+), 38 deletions(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2024-07-02-13-39-20.gh-issue-121285.hrl-yI.rst
|
||||
|
||||
--- a/Lib/tarfile.py
|
||||
+++ b/Lib/tarfile.py
|
||||
@@ -842,6 +842,9 @@ _NAMED_FILTERS = {
|
||||
# Sentinel for replace() defaults, meaning "don't change the attribute"
|
||||
_KEEP = object()
|
||||
|
||||
+# Header length is digits followed by a space.
|
||||
+_header_length_prefix_re = re.compile(br"([0-9]{1,20}) ")
|
||||
+
|
||||
class TarInfo(object):
|
||||
"""Informational class which holds the details about an
|
||||
archive member given by a tar header block.
|
||||
@@ -1411,41 +1414,59 @@ class TarInfo(object):
|
||||
else:
|
||||
pax_headers = tarfile.pax_headers.copy()
|
||||
|
||||
- # Check if the pax header contains a hdrcharset field. This tells us
|
||||
- # the encoding of the path, linkpath, uname and gname fields. Normally,
|
||||
- # these fields are UTF-8 encoded but since POSIX.1-2008 tar
|
||||
- # implementations are allowed to store them as raw binary strings if
|
||||
- # the translation to UTF-8 fails.
|
||||
- match = re.search(br"\d+ hdrcharset=([^\n]+)\n", buf)
|
||||
- if match is not None:
|
||||
- pax_headers["hdrcharset"] = match.group(1).decode("utf-8")
|
||||
-
|
||||
- # For the time being, we don't care about anything other than "BINARY".
|
||||
- # The only other value that is currently allowed by the standard is
|
||||
- # "ISO-IR 10646 2000 UTF-8" in other words UTF-8.
|
||||
- hdrcharset = pax_headers.get("hdrcharset")
|
||||
- if hdrcharset == "BINARY":
|
||||
- encoding = tarfile.encoding
|
||||
- else:
|
||||
- encoding = "utf-8"
|
||||
-
|
||||
# Parse pax header information. A record looks like that:
|
||||
# "%d %s=%s\n" % (length, keyword, value). length is the size
|
||||
# of the complete record including the length field itself and
|
||||
- # the newline. keyword and value are both UTF-8 encoded strings.
|
||||
- regex = re.compile(br"(\d+) ([^=]+)=")
|
||||
+ # the newline.
|
||||
pos = 0
|
||||
- while True:
|
||||
- match = regex.match(buf, pos)
|
||||
- if not match:
|
||||
- break
|
||||
+ encoding = None
|
||||
+ raw_headers = []
|
||||
+ while len(buf) > pos and buf[pos] != 0x00:
|
||||
+ if not (match := _header_length_prefix_re.match(buf, pos)):
|
||||
+ raise InvalidHeaderError("invalid header")
|
||||
+ try:
|
||||
+ length = int(match.group(1))
|
||||
+ except ValueError:
|
||||
+ raise InvalidHeaderError("invalid header")
|
||||
+ # Headers must be at least 5 bytes, shortest being '5 x=\n'.
|
||||
+ # Value is allowed to be empty.
|
||||
+ if length < 5:
|
||||
+ raise InvalidHeaderError("invalid header")
|
||||
+ if pos + length > len(buf):
|
||||
+ raise InvalidHeaderError("invalid header")
|
||||
+
|
||||
+ header_value_end_offset = match.start(1) + length - 1 # Last byte of the header
|
||||
+ keyword_and_value = buf[match.end(1) + 1:header_value_end_offset]
|
||||
+ raw_keyword, equals, raw_value = keyword_and_value.partition(b"=")
|
||||
|
||||
- length, keyword = match.groups()
|
||||
- length = int(length)
|
||||
- if length == 0:
|
||||
+ # Check the framing of the header. The last character must be '\n' (0x0A)
|
||||
+ if not raw_keyword or equals != b"=" or buf[header_value_end_offset] != 0x0A:
|
||||
raise InvalidHeaderError("invalid header")
|
||||
- value = buf[match.end(2) + 1:match.start(1) + length - 1]
|
||||
+ raw_headers.append((length, raw_keyword, raw_value))
|
||||
+
|
||||
+ # Check if the pax header contains a hdrcharset field. This tells us
|
||||
+ # the encoding of the path, linkpath, uname and gname fields. Normally,
|
||||
+ # these fields are UTF-8 encoded but since POSIX.1-2008 tar
|
||||
+ # implementations are allowed to store them as raw binary strings if
|
||||
+ # the translation to UTF-8 fails. For the time being, we don't care about
|
||||
+ # anything other than "BINARY". The only other value that is currently
|
||||
+ # allowed by the standard is "ISO-IR 10646 2000 UTF-8" in other words UTF-8.
|
||||
+ # Note that we only follow the initial 'hdrcharset' setting to preserve
|
||||
+ # the initial behavior of the 'tarfile' module.
|
||||
+ if raw_keyword == b"hdrcharset" and encoding is None:
|
||||
+ if raw_value == b"BINARY":
|
||||
+ encoding = tarfile.encoding
|
||||
+ else: # This branch ensures only the first 'hdrcharset' header is used.
|
||||
+ encoding = "utf-8"
|
||||
|
||||
+ pos += length
|
||||
+
|
||||
+ # If no explicit hdrcharset is set, we use UTF-8 as a default.
|
||||
+ if encoding is None:
|
||||
+ encoding = "utf-8"
|
||||
+
|
||||
+ # After parsing the raw headers we can decode them to text.
|
||||
+ for length, raw_keyword, raw_value in raw_headers:
|
||||
# Normally, we could just use "utf-8" as the encoding and "strict"
|
||||
# as the error handler, but we better not take the risk. For
|
||||
# example, GNU tar <= 1.23 is known to store filenames it cannot
|
||||
@@ -1453,17 +1474,16 @@ class TarInfo(object):
|
||||
# hdrcharset=BINARY header).
|
||||
# We first try the strict standard encoding, and if that fails we
|
||||
# fall back on the user's encoding and error handler.
|
||||
- keyword = self._decode_pax_field(keyword, "utf-8", "utf-8",
|
||||
+ keyword = self._decode_pax_field(raw_keyword, "utf-8", "utf-8",
|
||||
tarfile.errors)
|
||||
if keyword in PAX_NAME_FIELDS:
|
||||
- value = self._decode_pax_field(value, encoding, tarfile.encoding,
|
||||
+ value = self._decode_pax_field(raw_value, encoding, tarfile.encoding,
|
||||
tarfile.errors)
|
||||
else:
|
||||
- value = self._decode_pax_field(value, "utf-8", "utf-8",
|
||||
+ value = self._decode_pax_field(raw_value, "utf-8", "utf-8",
|
||||
tarfile.errors)
|
||||
|
||||
pax_headers[keyword] = value
|
||||
- pos += length
|
||||
|
||||
# Fetch the next header.
|
||||
try:
|
||||
@@ -1478,7 +1498,7 @@ class TarInfo(object):
|
||||
|
||||
elif "GNU.sparse.size" in pax_headers:
|
||||
# GNU extended sparse format version 0.0.
|
||||
- self._proc_gnusparse_00(next, pax_headers, buf)
|
||||
+ self._proc_gnusparse_00(next, raw_headers)
|
||||
|
||||
elif pax_headers.get("GNU.sparse.major") == "1" and pax_headers.get("GNU.sparse.minor") == "0":
|
||||
# GNU extended sparse format version 1.0.
|
||||
@@ -1500,15 +1520,24 @@ class TarInfo(object):
|
||||
|
||||
return next
|
||||
|
||||
- def _proc_gnusparse_00(self, next, pax_headers, buf):
|
||||
+ def _proc_gnusparse_00(self, next, raw_headers):
|
||||
"""Process a GNU tar extended sparse header, version 0.0.
|
||||
"""
|
||||
offsets = []
|
||||
- for match in re.finditer(br"\d+ GNU.sparse.offset=(\d+)\n", buf):
|
||||
- offsets.append(int(match.group(1)))
|
||||
numbytes = []
|
||||
- for match in re.finditer(br"\d+ GNU.sparse.numbytes=(\d+)\n", buf):
|
||||
- numbytes.append(int(match.group(1)))
|
||||
+ for _, keyword, value in raw_headers:
|
||||
+ if keyword == b"GNU.sparse.offset":
|
||||
+ try:
|
||||
+ offsets.append(int(value.decode()))
|
||||
+ except ValueError:
|
||||
+ raise InvalidHeaderError("invalid header")
|
||||
+
|
||||
+ elif keyword == b"GNU.sparse.numbytes":
|
||||
+ try:
|
||||
+ numbytes.append(int(value.decode()))
|
||||
+ except ValueError:
|
||||
+ raise InvalidHeaderError("invalid header")
|
||||
+
|
||||
next.sparse = list(zip(offsets, numbytes))
|
||||
|
||||
def _proc_gnusparse_01(self, next, pax_headers):
|
||||
--- a/Lib/test/test_tarfile.py
|
||||
+++ b/Lib/test/test_tarfile.py
|
||||
@@ -1184,6 +1184,48 @@ class PaxReadTest(LongnameTest, ReadTest
|
||||
finally:
|
||||
tar.close()
|
||||
|
||||
+ def test_pax_header_bad_formats(self):
|
||||
+ # The fields from the pax header have priority over the
|
||||
+ # TarInfo.
|
||||
+ pax_header_replacements = (
|
||||
+ b" foo=bar\n",
|
||||
+ b"0 \n",
|
||||
+ b"1 \n",
|
||||
+ b"2 \n",
|
||||
+ b"3 =\n",
|
||||
+ b"4 =a\n",
|
||||
+ b"1000000 foo=bar\n",
|
||||
+ b"0 foo=bar\n",
|
||||
+ b"-12 foo=bar\n",
|
||||
+ b"000000000000000000000000036 foo=bar\n",
|
||||
+ )
|
||||
+ pax_headers = {"foo": "bar"}
|
||||
+
|
||||
+ for replacement in pax_header_replacements:
|
||||
+ with self.subTest(header=replacement):
|
||||
+ tar = tarfile.open(tmpname, "w", format=tarfile.PAX_FORMAT,
|
||||
+ encoding="iso8859-1")
|
||||
+ try:
|
||||
+ t = tarfile.TarInfo()
|
||||
+ t.name = "pax" # non-ASCII
|
||||
+ t.uid = 1
|
||||
+ t.pax_headers = pax_headers
|
||||
+ tar.addfile(t)
|
||||
+ finally:
|
||||
+ tar.close()
|
||||
+
|
||||
+ with open(tmpname, "rb") as f:
|
||||
+ data = f.read()
|
||||
+ self.assertIn(b"11 foo=bar\n", data)
|
||||
+ data = data.replace(b"11 foo=bar\n", replacement)
|
||||
+
|
||||
+ with open(tmpname, "wb") as f:
|
||||
+ f.truncate()
|
||||
+ f.write(data)
|
||||
+
|
||||
+ with self.assertRaisesRegex(tarfile.ReadError, r"method tar: ReadError\('invalid header'\)"):
|
||||
+ tarfile.open(tmpname, encoding="iso8859-1")
|
||||
+
|
||||
|
||||
class WriteTestBase(TarTest):
|
||||
# Put all write tests in here that are supposed to be tested
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Security/2024-07-02-13-39-20.gh-issue-121285.hrl-yI.rst
|
||||
@@ -0,0 +1,2 @@
|
||||
+Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and
|
||||
+GNU sparse headers.
|
125
CVE-2024-7592-quad-complex-cookies.patch
Normal file
125
CVE-2024-7592-quad-complex-cookies.patch
Normal file
@ -0,0 +1,125 @@
|
||||
From dcfd909737995b948b99810a28205835a6c2848e Mon Sep 17 00:00:00 2001
|
||||
From: Serhiy Storchaka <storchaka@gmail.com>
|
||||
Date: Sat, 17 Aug 2024 16:30:52 +0300
|
||||
Subject: [PATCH] gh-123067: Fix quadratic complexity in parsing "-quoted
|
||||
cookie values with backslashes (GH-123075)
|
||||
|
||||
This fixes CVE-2024-7592.
|
||||
(cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef)
|
||||
|
||||
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
||||
---
|
||||
Lib/http/cookies.py | 34 ++------
|
||||
Lib/test/test_http_cookies.py | 38 ++++++++++
|
||||
Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | 1
|
||||
3 files changed, 47 insertions(+), 26 deletions(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
|
||||
|
||||
--- a/Lib/http/cookies.py
|
||||
+++ b/Lib/http/cookies.py
|
||||
@@ -184,8 +184,13 @@ def _quote(str):
|
||||
return '"' + str.translate(_Translator) + '"'
|
||||
|
||||
|
||||
-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
|
||||
-_QuotePatt = re.compile(r"[\\].")
|
||||
+_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub
|
||||
+
|
||||
+def _unquote_replace(m):
|
||||
+ if m[1]:
|
||||
+ return chr(int(m[1], 8))
|
||||
+ else:
|
||||
+ return m[2]
|
||||
|
||||
def _unquote(str):
|
||||
# If there aren't any doublequotes,
|
||||
@@ -205,30 +210,7 @@ def _unquote(str):
|
||||
# \012 --> \n
|
||||
# \" --> "
|
||||
#
|
||||
- i = 0
|
||||
- n = len(str)
|
||||
- res = []
|
||||
- while 0 <= i < n:
|
||||
- o_match = _OctalPatt.search(str, i)
|
||||
- q_match = _QuotePatt.search(str, i)
|
||||
- if not o_match and not q_match: # Neither matched
|
||||
- res.append(str[i:])
|
||||
- break
|
||||
- # else:
|
||||
- j = k = -1
|
||||
- if o_match:
|
||||
- j = o_match.start(0)
|
||||
- if q_match:
|
||||
- k = q_match.start(0)
|
||||
- if q_match and (not o_match or k < j): # QuotePatt matched
|
||||
- res.append(str[i:k])
|
||||
- res.append(str[k+1])
|
||||
- i = k + 2
|
||||
- else: # OctalPatt matched
|
||||
- res.append(str[i:j])
|
||||
- res.append(chr(int(str[j+1:j+4], 8)))
|
||||
- i = j + 4
|
||||
- return _nulljoin(res)
|
||||
+ return _unquote_sub(_unquote_replace, str)
|
||||
|
||||
# The _getdate() routine is used to set the expiration time in the cookie's HTTP
|
||||
# header. By default, _getdate() returns the current time in the appropriate
|
||||
--- a/Lib/test/test_http_cookies.py
|
||||
+++ b/Lib/test/test_http_cookies.py
|
||||
@@ -5,6 +5,7 @@ import unittest
|
||||
import doctest
|
||||
from http import cookies
|
||||
import pickle
|
||||
+from test import support
|
||||
|
||||
|
||||
class CookieTests(unittest.TestCase):
|
||||
@@ -58,6 +59,43 @@ class CookieTests(unittest.TestCase):
|
||||
for k, v in sorted(case['dict'].items()):
|
||||
self.assertEqual(C[k].value, v)
|
||||
|
||||
+ def test_unquote(self):
|
||||
+ cases = [
|
||||
+ (r'a="b=\""', 'b="'),
|
||||
+ (r'a="b=\\"', 'b=\\'),
|
||||
+ (r'a="b=\="', 'b=='),
|
||||
+ (r'a="b=\n"', 'b=n'),
|
||||
+ (r'a="b=\042"', 'b="'),
|
||||
+ (r'a="b=\134"', 'b=\\'),
|
||||
+ (r'a="b=\377"', 'b=\xff'),
|
||||
+ (r'a="b=\400"', 'b=400'),
|
||||
+ (r'a="b=\42"', 'b=42'),
|
||||
+ (r'a="b=\\042"', 'b=\\042'),
|
||||
+ (r'a="b=\\134"', 'b=\\134'),
|
||||
+ (r'a="b=\\\""', 'b=\\"'),
|
||||
+ (r'a="b=\\\042"', 'b=\\"'),
|
||||
+ (r'a="b=\134\""', 'b=\\"'),
|
||||
+ (r'a="b=\134\042"', 'b=\\"'),
|
||||
+ ]
|
||||
+ for encoded, decoded in cases:
|
||||
+ with self.subTest(encoded):
|
||||
+ C = cookies.SimpleCookie()
|
||||
+ C.load(encoded)
|
||||
+ self.assertEqual(C['a'].value, decoded)
|
||||
+
|
||||
+ @support.requires_resource('cpu')
|
||||
+ def test_unquote_large(self):
|
||||
+ n = 10**6
|
||||
+ for encoded in r'\\', r'\134':
|
||||
+ with self.subTest(encoded):
|
||||
+ data = 'a="b=' + encoded*n + ';"'
|
||||
+ C = cookies.SimpleCookie()
|
||||
+ C.load(data)
|
||||
+ value = C['a'].value
|
||||
+ self.assertEqual(value[:3], 'b=\\')
|
||||
+ self.assertEqual(value[-2:], '\\;')
|
||||
+ self.assertEqual(len(value), n + 3)
|
||||
+
|
||||
def test_load(self):
|
||||
C = cookies.SimpleCookie()
|
||||
C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
|
||||
@@ -0,0 +1 @@
|
||||
+Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`.
|
122
CVE-2024-8088-zipfile-Path-sanitization.patch
Normal file
122
CVE-2024-8088-zipfile-Path-sanitization.patch
Normal file
@ -0,0 +1,122 @@
|
||||
From 0d480f2766db5313cf311c4f7ec3fd6f9e09615f Mon Sep 17 00:00:00 2001
|
||||
From: "Jason R. Coombs" <jaraco@jaraco.com>
|
||||
Date: Sun, 11 Aug 2024 19:48:50 -0400
|
||||
Subject: [PATCH 1/2] gh-122905: Sanitize names in zipfile.Path. (#122906)
|
||||
|
||||
Ported from zipp 3.19.1; ref jaraco/zipp#119.
|
||||
|
||||
(cherry picked from commit 9cd03263100ddb1657826cc4a71470786cab3932)
|
||||
---
|
||||
Lib/test/test_zipfile.py | 17 ++
|
||||
Lib/zipfile.py | 61 +++++++++-
|
||||
Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | 1
|
||||
3 files changed, 78 insertions(+), 1 deletion(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
|
||||
|
||||
--- a/Lib/test/test_zipfile.py
|
||||
+++ b/Lib/test/test_zipfile.py
|
||||
@@ -3660,6 +3660,23 @@ with zipfile.ZipFile(io.BytesIO(), "w")
|
||||
zipfile.Path(zf)
|
||||
zf.extractall(source_path.parent)
|
||||
|
||||
+ def test_malformed_paths(self):
|
||||
+ """
|
||||
+ Path should handle malformed paths.
|
||||
+ """
|
||||
+ data = io.BytesIO()
|
||||
+ zf = zipfile.ZipFile(data, "w")
|
||||
+ zf.writestr("/one-slash.txt", b"content")
|
||||
+ zf.writestr("//two-slash.txt", b"content")
|
||||
+ zf.writestr("../parent.txt", b"content")
|
||||
+ zf.filename = ''
|
||||
+ root = zipfile.Path(zf)
|
||||
+ assert list(map(str, root.iterdir())) == [
|
||||
+ 'one-slash.txt',
|
||||
+ 'two-slash.txt',
|
||||
+ 'parent.txt',
|
||||
+ ]
|
||||
+
|
||||
|
||||
class EncodedMetadataTests(unittest.TestCase):
|
||||
file_names = ['\u4e00', '\u4e8c', '\u4e09'] # Han 'one', 'two', 'three'
|
||||
--- a/Lib/zipfile.py
|
||||
+++ b/Lib/zipfile.py
|
||||
@@ -9,6 +9,7 @@ import io
|
||||
import itertools
|
||||
import os
|
||||
import posixpath
|
||||
+import re
|
||||
import shutil
|
||||
import stat
|
||||
import struct
|
||||
@@ -2245,7 +2246,65 @@ def _difference(minuend, subtrahend):
|
||||
return itertools.filterfalse(set(subtrahend).__contains__, minuend)
|
||||
|
||||
|
||||
-class CompleteDirs(ZipFile):
|
||||
+class SanitizedNames:
|
||||
+ """
|
||||
+ ZipFile mix-in to ensure names are sanitized.
|
||||
+ """
|
||||
+
|
||||
+ def namelist(self):
|
||||
+ return list(map(self._sanitize, super().namelist()))
|
||||
+
|
||||
+ @staticmethod
|
||||
+ def _sanitize(name):
|
||||
+ r"""
|
||||
+ Ensure a relative path with posix separators and no dot names.
|
||||
+ Modeled after
|
||||
+ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
|
||||
+ but provides consistent cross-platform behavior.
|
||||
+ >>> san = SanitizedNames._sanitize
|
||||
+ >>> san('/foo/bar')
|
||||
+ 'foo/bar'
|
||||
+ >>> san('//foo.txt')
|
||||
+ 'foo.txt'
|
||||
+ >>> san('foo/.././bar.txt')
|
||||
+ 'foo/bar.txt'
|
||||
+ >>> san('foo../.bar.txt')
|
||||
+ 'foo../.bar.txt'
|
||||
+ >>> san('\\foo\\bar.txt')
|
||||
+ 'foo/bar.txt'
|
||||
+ >>> san('D:\\foo.txt')
|
||||
+ 'D/foo.txt'
|
||||
+ >>> san('\\\\server\\share\\file.txt')
|
||||
+ 'server/share/file.txt'
|
||||
+ >>> san('\\\\?\\GLOBALROOT\\Volume3')
|
||||
+ '?/GLOBALROOT/Volume3'
|
||||
+ >>> san('\\\\.\\PhysicalDrive1\\root')
|
||||
+ 'PhysicalDrive1/root'
|
||||
+ Retain any trailing slash.
|
||||
+ >>> san('abc/')
|
||||
+ 'abc/'
|
||||
+ Raises a ValueError if the result is empty.
|
||||
+ >>> san('../..')
|
||||
+ Traceback (most recent call last):
|
||||
+ ...
|
||||
+ ValueError: Empty filename
|
||||
+ """
|
||||
+
|
||||
+ def allowed(part):
|
||||
+ return part and part not in {'..', '.'}
|
||||
+
|
||||
+ # Remove the drive letter.
|
||||
+ # Don't use ntpath.splitdrive, because that also strips UNC paths
|
||||
+ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
|
||||
+ clean = bare.replace('\\', '/')
|
||||
+ parts = clean.split('/')
|
||||
+ joined = '/'.join(filter(allowed, parts))
|
||||
+ if not joined:
|
||||
+ raise ValueError("Empty filename")
|
||||
+ return joined + '/' * name.endswith('/')
|
||||
+
|
||||
+
|
||||
+class CompleteDirs(SanitizedNames, ZipFile):
|
||||
"""
|
||||
A ZipFile subclass that ensures that implied directories
|
||||
are always included in the namelist.
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
|
||||
@@ -0,0 +1 @@
|
||||
+:class:`zipfile.Path` objects now sanitize names from the zipfile.
|
@ -1,3 +1,15 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 19 13:14:43 UTC 2024 - Matej Cepl <mcepl@suse.com>
|
||||
|
||||
- Add CVE-2024-8088-zipfile-Path-sanitization.patch sanitizing
|
||||
names in zipfile.Path (bsc#1229704, CVE-2024-8088).
|
||||
- Add CVE-2024-6232-ReDOS-backtrack-tarfile.patch removing
|
||||
backtracking when parsing tarfile headers (bsc#1230227,
|
||||
CVE-2024-6232).
|
||||
- Add CVE-2024-7592-quad-complex-cookies.patch fixing quadratic
|
||||
complexity in parsing "-quoted cookie values with backslashes
|
||||
(bsc#1229596, CVE-2024-7592).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Aug 3 17:28:26 UTC 2024 - Matej Cepl <mcepl@suse.com>
|
||||
|
||||
|
@ -185,6 +185,15 @@ Patch20: CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2024-6923-email-hdr-inject.patch bsc#1228780 mcepl@suse.com
|
||||
# prevent email header injection, patch from gh#python/cpython!122608
|
||||
Patch21: CVE-2024-6923-email-hdr-inject.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2024-8088-zipfile-Path-sanitization.patch bsc#1229704 mcepl@suse.com
|
||||
# sanitizing names in zipfile.Path
|
||||
Patch22: CVE-2024-8088-zipfile-Path-sanitization.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2024-6232-ReDOS-backtrack-tarfile.patch bsc#1230227 mcepl@suse.com
|
||||
# removing backtracking when parsing tarfile headers
|
||||
Patch23: CVE-2024-6232-ReDOS-backtrack-tarfile.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2024-7592-quad-complex-cookies.patch bsc#1229596 mcepl@suse.com
|
||||
# fixing quadratic complexity in parsing "-quoted cookie values with backslashes
|
||||
Patch24: CVE-2024-7592-quad-complex-cookies.patch
|
||||
BuildRequires: autoconf-archive
|
||||
BuildRequires: automake
|
||||
BuildRequires: fdupes
|
||||
@ -427,29 +436,13 @@ other applications.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{tarname}
|
||||
%patch -p1 -P 02
|
||||
%patch -p1 -P 03
|
||||
%patch -p1 -P 04
|
||||
%patch -p1 -P 05
|
||||
%patch -p1 -P 06
|
||||
%patch -p1 -P 07
|
||||
%patch -p1 -P 08
|
||||
%autopatch -p1 -M 08
|
||||
|
||||
%if 0%{?suse_version} <= 1500
|
||||
%patch -P 09 -p1
|
||||
%endif
|
||||
|
||||
%patch -p1 -P 10
|
||||
%patch -p1 -P 11
|
||||
%patch -p1 -P 13
|
||||
%patch -p1 -P 14
|
||||
%patch -p1 -P 15
|
||||
%patch -p1 -P 16
|
||||
%patch -p1 -P 17
|
||||
%patch -p1 -P 18
|
||||
%patch -p1 -P 19
|
||||
%patch -p1 -P 20
|
||||
%patch -p1 -P 21
|
||||
%autopatch -p1 -m 10
|
||||
|
||||
# drop Autoconf version requirement
|
||||
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
||||
|
Loading…
Reference in New Issue
Block a user