2021-08-10 06:45:07 +02:00
|
|
|
--- a/Lib/httplib.py
|
|
|
|
|
+++ b/Lib/httplib.py
|
|
|
|
|
@@ -449,6 +449,7 @@ class HTTPResponse:
|
|
|
|
|
if status != CONTINUE:
|
|
|
|
|
break
|
|
|
|
|
# skip the header from the 100 response
|
|
|
|
|
+ header_count = 0
|
|
|
|
|
while True:
|
|
|
|
|
skip = self.fp.readline(_MAXLINE + 1)
|
|
|
|
|
if len(skip) > _MAXLINE:
|
|
|
|
|
@@ -458,6 +459,10 @@ class HTTPResponse:
|
|
|
|
|
break
|
|
|
|
|
if self.debuglevel > 0:
|
|
|
|
|
print "header:", skip
|
2021-08-26 23:32:53 +02:00
|
|
|
+ # CVE-2021-3737: Fix infinitely reading potential HTTP headers on a 100 Continue status response from the server
|
2021-08-10 06:45:07 +02:00
|
|
|
+ header_count += 1
|
|
|
|
|
+ if header_count > _MAXHEADERS:
|
|
|
|
|
+ raise HTTPException("got more than %d headers" % _MAXHEADERS)
|
|
|
|
|
|
|
|
|
|
self.status = status
|
|
|
|
|
self.reason = reason.strip()
|
Accepting request 911251 from home:fusionfuture:branches:devel:languages:python:Factory
- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in
request (bpo#43075, boo#1189287).
- Add missing security announcement to
bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch.
old: devel:languages:python:Factory/python
new: home:fusionfuture:branches:devel:languages:python:Factory/python rev None
Index: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
===================================================================
--- bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch (revision 296)
+++ bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch (revision 3)
@@ -19,3 +19,8 @@
self.status = status
self.reason = reason.strip()
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst
+@@ -0,0 +1,2 @@
++mod:`http.client` now avoids infinitely reading potential HTTP headers after a
++``100 Continue`` status response from the server.
Index: python-base.changes
===================================================================
--- python-base.changes (revision 296)
+++ python-base.changes (revision 3)
@@ -1,4 +1,12 @@
-------------------------------------------------------------------
+Tue Aug 10 12:39:28 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
+
+- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in
+ request (bpo#43075, boo#1189287).
+- Add missing security announcement to
+ bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch.
+
+-------------------------------------------------------------------
Mon Aug 9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
Index: python-base.spec
===================================================================
--- python-base.spec (revision 296)
+++ python-base.spec (revision 3)
@@ -105,6 +105,8 @@
Patch62: CVE-2021-23336-only-amp-as-query-sep.patch
# PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916
Patch63: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
+# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391
+Patch64: bpo43075-fix-ReDoS-in-request.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
@@ -233,6 +235,7 @@
%patch61 -p1
%patch62 -p1
%patch63 -p1
+%patch64 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac
Index: python-doc.changes
===================================================================
--- python-doc.changes (revision 296)
+++ python-doc.changes (revision 3)
@@ -1,4 +1,12 @@
-------------------------------------------------------------------
+Tue Aug 10 12:39:28 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
+
+- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in
+ request (bpo#43075, boo#1189287).
+- Add missing security announcement to
+ bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch.
+
+-------------------------------------------------------------------
Mon Aug 9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
Index: python-doc.spec
===================================================================
--- python-doc.spec (revision 296)
+++ python-doc.spec (revision 3)
@@ -107,6 +107,8 @@
Patch62: CVE-2021-23336-only-amp-as-query-sep.patch
# PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916
Patch63: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
+# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391
+Patch64: bpo43075-fix-ReDoS-in-request.patch
# COMMON-PATCH-END
Provides: pyth_doc
Provides: pyth_ps
@@ -177,6 +179,7 @@
%patch61 -p1
%patch62 -p1
%patch63 -p1
+%patch64 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac
Index: python.changes
===================================================================
--- python.changes (revision 296)
+++ python.changes (revision 3)
@@ -1,4 +1,12 @@
-------------------------------------------------------------------
+Tue Aug 10 12:39:28 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
+
+- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in
+ request (bpo#43075, boo#1189287).
+- Add missing security announcement to
+ bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch.
+
+-------------------------------------------------------------------
Mon Aug 9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
Index: python.spec
===================================================================
--- python.spec (revision 296)
+++ python.spec (revision 3)
@@ -107,6 +107,8 @@
Patch62: CVE-2021-23336-only-amp-as-query-sep.patch
# PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916
Patch63: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
+# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391
+Patch64: bpo43075-fix-ReDoS-in-request.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel
@@ -291,6 +293,7 @@
%patch61 -p1
%patch62 -p1
%patch63 -p1
+%patch64 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac
Index: bpo43075-fix-ReDoS-in-request.patch
===================================================================
--- bpo43075-fix-ReDoS-in-request.patch (added)
+++ bpo43075-fix-ReDoS-in-request.patch (revision 3)
@@ -0,0 +1,15 @@
+--- a/Lib/urllib2.py
++++ b/Lib/urllib2.py
+@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler:
+
+ # allow for double- and single-quoted realm values
+ # (single quotes are a violation of the RFC, but appear in the wild)
+- rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+'
++ rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+'
+ 'realm=(["\']?)([^"\']*)\\2', re.I)
+
+ # XXX could pre-emptively send auth info already accepted (RFC 2617,
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
+@@ -0,0 +1 @@
++Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.
OBS-URL: https://build.opensuse.org/request/show/911251
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=297
2021-08-10 14:55:29 +02:00
|
|
|
--- /dev/null
|
|
|
|
|
+++ b/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst
|
|
|
|
|
@@ -0,0 +1,2 @@
|
|
|
|
|
+mod:`http.client` now avoids infinitely reading potential HTTP headers after a
|
|
|
|
|
+``100 Continue`` status response from the server.
|