From 2f5ed5b585f98314075c50fddd23a5fe27e7d9e407d73dffa8251a0430c951dc Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Fri, 3 May 2019 15:46:24 +0000 Subject: [PATCH] Accepting request 700428 from home:mcepl:branches:devel:languages:python:Factory - bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch Address the issue by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause a ValueError to be raised. OBS-URL: https://build.opensuse.org/request/show/700428 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=243 --- CVE-2019-9947-no-ctrl-char-http.patch | 108 ++++++++++++++++++++++++++ python-base.changes | 9 +++ python-base.spec | 4 + python-doc.spec | 4 + python.spec | 4 + 5 files changed, 129 insertions(+) create mode 100644 CVE-2019-9947-no-ctrl-char-http.patch diff --git a/CVE-2019-9947-no-ctrl-char-http.patch b/CVE-2019-9947-no-ctrl-char-http.patch new file mode 100644 index 0000000..93347c4 --- /dev/null +++ b/CVE-2019-9947-no-ctrl-char-http.patch @@ -0,0 +1,108 @@ +--- a/Lib/httplib.py ++++ b/Lib/httplib.py +@@ -247,6 +247,15 @@ _MAXHEADERS = 100 + _is_legal_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match + _is_illegal_header_value = re.compile(r'\n(?![ \t])|\r(?![ \t\n])').search + ++# These characters are not allowed within http URL paths. ++# https://tools.ietf.org/html/rfc3986#section-3.3 ++# in order to prevent CVE-2019-9740. ++# We don't restrict chars above \x7f as putrequest() limits us to ASCII. ++_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]') ++# Arguably only these _should_ allowed: ++# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") ++# We are more lenient for assumed real world compatibility purposes. ++ + # We always set the Content-Length header for these methods because some + # servers will otherwise respond with a 411 + _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} +@@ -927,6 +936,9 @@ class HTTPConnection: + self._method = method + if not url: + url = '/' ++ # Prevent CVE-2019-9740. ++ if _contains_disallowed_url_pchar_re.search(url): ++ raise InvalidURL("URL can't contain control characters. {0!r}".format(url)) + hdr = '%s %s %s' % (method, url, self._http_vsn_str) + + self._output(hdr) +--- a/Lib/test/test_urllib.py ++++ b/Lib/test/test_urllib.py +@@ -2,6 +2,7 @@ + + import collections + import urllib ++import urllib2 + import httplib + import io + import unittest +@@ -13,6 +14,11 @@ import tempfile + from test import test_support + from base64 import b64encode + ++try: ++ import ssl ++except ImportError: ++ ssl = None ++ + + def hexescape(char): + """Escape char as RFC 2396 specifies""" +@@ -364,6 +370,31 @@ Connection: close + finally: + self.unfakehttp() + ++ def test_url_with_newline_header_injection_rejected(self): ++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.") ++ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123" ++ schemeless_url = "//" + host + ":8080/test/?test=a" ++ try: ++ # We explicitly test urllib.request.urlopen() instead of the top ++ # level 'def urlopen()' function defined in this... (quite ugly) ++ # test suite. they use different url opening codepaths. plain ++ # urlopen uses FancyURLOpener which goes via a codepath that ++ # calls urllib.parse.quote() on the URL which makes all of the ++ # above attempts at injection within the url _path_ safe. ++ with self.assertRaisesRegexp(httplib.InvalidURL, ++ r"contain control.*\\r"): ++ urllib2.urlopen("http:{0}".format(schemeless_url)) ++ if ssl is not None: ++ with self.assertRaisesRegexp(httplib.InvalidURL, ++ r"contain control.*\\n"): ++ urllib2.urlopen("https:{0}".format(schemeless_url)) ++ # This code path quotes the URL so there is no injection. ++ resp = urllib.urlopen("http:{0}".format(schemeless_url)) ++ self.assertNotIn(' ', resp.geturl()) ++ self.assertNotIn('\r', resp.geturl()) ++ self.assertNotIn('\n', resp.geturl()) ++ finally: ++ self.unfakehttp() + + class urlretrieve_FileTests(unittest.TestCase): + """Test urllib.urlretrieve() on local files""" +--- a/Lib/test/test_xmlrpc.py ++++ b/Lib/test/test_xmlrpc.py +@@ -1,4 +1,5 @@ + import base64 ++import contextlib + import datetime + import sys + import time +@@ -658,9 +659,14 @@ class SimpleServerTestCase(BaseServerTes + + def test_partial_post(self): + # Check that a partial POST doesn't make the server loop: issue #14001. +- conn = httplib.HTTPConnection(ADDR, PORT) +- conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye') +- conn.close() ++ with contextlib.closing(socket.create_connection((ADDR, PORT))) as conn: ++ conn.send(('POST /RPC2 HTTP/1.0\r\n' + ++ 'Content-Length: 100\r\n\r\n' + ++ 'bye HTTP/1.1\r\n' + ++ 'Host: {0}:{1}\r\n'.format(ADDR, PORT) + ++ 'Accept-Encoding: identity\r\n' + ++ 'Content-Length: 0\r\n\r\n').encode('ascii')) ++ + + class SimpleServerEncodingTestCase(BaseServerTestCase): + @staticmethod diff --git a/python-base.changes b/python-base.changes index 692fca5..5b9b961 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu May 2 08:40:33 CEST 2019 - Matej Cepl + +- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch + Address the issue by disallowing URL paths with embedded + whitespace or control characters through into the underlying + http client request. Such potentially malicious header + injection URLs now cause a ValueError to be raised. + ------------------------------------------------------------------- Mon Apr 8 22:40:01 CEST 2019 - Matej Cepl diff --git a/python-base.spec b/python-base.spec index c7210c5..1bc5736 100644 --- a/python-base.spec +++ b/python-base.spec @@ -78,6 +78,9 @@ Patch51: CVE-2019-9636-netloc-no-decompose-characters.patch # PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com # removing unnecessary (and potentially harmful) URL scheme local-file:// Patch52: CVE-2019-9948-avoid_local-file.patch +# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 mcepl@suse.com +# bpo#30458: Disallow control chars in http URLs. +Patch53: CVE-2019-9947-no-ctrl-char-http.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -191,6 +194,7 @@ other applications. %patch50 -p1 %patch51 -p1 %patch52 -p1 +%patch53 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac diff --git a/python-doc.spec b/python-doc.spec index 05333b2..0735385 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -78,6 +78,9 @@ Patch51: CVE-2019-9636-netloc-no-decompose-characters.patch # PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com # removing unnecessary (and potentially harmful) URL scheme local-file:// Patch52: CVE-2019-9948-avoid_local-file.patch +# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 mcepl@suse.com +# bpo#30458: Disallow control chars in http URLs. +Patch53: CVE-2019-9947-no-ctrl-char-http.patch # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -137,6 +140,7 @@ Python, and Macintosh Module Reference in PDF format. %patch50 -p1 %patch51 -p1 %patch52 -p1 +%patch53 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac diff --git a/python.spec b/python.spec index 5779f1a..9ea530a 100644 --- a/python.spec +++ b/python.spec @@ -83,6 +83,9 @@ Patch51: CVE-2019-9636-netloc-no-decompose-characters.patch # PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com # removing unnecessary (and potentially harmful) URL scheme local-file:// Patch52: CVE-2019-9948-avoid_local-file.patch +# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 mcepl@suse.com +# bpo#30458: Disallow control chars in http URLs. +Patch53: CVE-2019-9947-no-ctrl-char-http.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -243,6 +246,7 @@ that rely on earlier non-verification behavior. %patch50 -p1 %patch51 -p1 %patch52 -p1 +%patch53 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac