Accepting request 700428 from home:mcepl:branches:devel:languages:python:Factory

- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch
  Address the issue by disallowing URL paths with embedded
  whitespace or control characters through into the underlying
  http client request. Such potentially malicious header
  injection URLs now cause a ValueError to be raised.

OBS-URL: https://build.opensuse.org/request/show/700428
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=243

CVE-2019-9947-no-ctrl-char-http.patch

@@ -0,0 +1,108 @@
+--- a/Lib/httplib.py
++++ b/Lib/httplib.py
+@@ -247,6 +247,15 @@ _MAXHEADERS = 100
+ _is_legal_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match
+ _is_illegal_header_value = re.compile(r'\n(?![ \t])|\r(?![ \t\n])').search
+ 
++# These characters are not allowed within http URL paths.
++#  https://tools.ietf.org/html/rfc3986#section-3.3
++# in order to prevent CVE-2019-9740.
++# We don't restrict chars above \x7f as putrequest() limits us to ASCII.
++_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
++# Arguably only these _should_ allowed:
++#  _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
++# We are more lenient for assumed real world compatibility purposes.
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -927,6 +936,9 @@ class HTTPConnection:
+         self._method = method
+         if not url:
+             url = '/'
++        # Prevent CVE-2019-9740.
++        if _contains_disallowed_url_pchar_re.search(url):
++            raise InvalidURL("URL can't contain control characters. {0!r}".format(url))
+         hdr = '%s %s %s' % (method, url, self._http_vsn_str)
+ 
+         self._output(hdr)
+--- a/Lib/test/test_urllib.py
++++ b/Lib/test/test_urllib.py
+@@ -2,6 +2,7 @@
+ 
+ import collections
+ import urllib
++import urllib2
+ import httplib
+ import io
+ import unittest
+@@ -13,6 +14,11 @@ import tempfile
+ from test import test_support
+ from base64 import b64encode
+ 
++try:
++    import ssl
++except ImportError:
++    ssl = None
++
+ 
+ def hexescape(char):
+     """Escape char as RFC 2396 specifies"""
+@@ -364,6 +370,31 @@ Connection: close
+         finally:
+             self.unfakehttp()
+ 
++    def test_url_with_newline_header_injection_rejected(self):
++        self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++        host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
++        schemeless_url = "//" + host + ":8080/test/?test=a"
++        try:
++            # We explicitly test urllib.request.urlopen() instead of the top
++            # level 'def urlopen()' function defined in this... (quite ugly)
++            # test suite.  they use different url opening codepaths.  plain
++            # urlopen uses FancyURLOpener which goes via a codepath that
++            # calls urllib.parse.quote() on the URL which makes all of the
++            # above attempts at injection within the url _path_ safe.
++            with self.assertRaisesRegexp(httplib.InvalidURL,
++                                         r"contain control.*\\r"):
++                urllib2.urlopen("http:{0}".format(schemeless_url))
++            if ssl is not None:
++                with self.assertRaisesRegexp(httplib.InvalidURL,
++                                             r"contain control.*\\n"):
++                    urllib2.urlopen("https:{0}".format(schemeless_url))
++            # This code path quotes the URL so there is no injection.
++            resp = urllib.urlopen("http:{0}".format(schemeless_url))
++            self.assertNotIn(' ', resp.geturl())
++            self.assertNotIn('\r', resp.geturl())
++            self.assertNotIn('\n', resp.geturl())
++        finally:
++            self.unfakehttp()
+ 
+ class urlretrieve_FileTests(unittest.TestCase):
+     """Test urllib.urlretrieve() on local files"""
+--- a/Lib/test/test_xmlrpc.py
++++ b/Lib/test/test_xmlrpc.py
+@@ -1,4 +1,5 @@
+ import base64
++import contextlib
+ import datetime
+ import sys
+ import time
+@@ -658,9 +659,14 @@ class SimpleServerTestCase(BaseServerTes
+ 
+     def test_partial_post(self):
+         # Check that a partial POST doesn't make the server loop: issue #14001.
+-        conn = httplib.HTTPConnection(ADDR, PORT)
+-        conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
+-        conn.close()
++        with contextlib.closing(socket.create_connection((ADDR, PORT))) as conn:
++            conn.send(('POST /RPC2 HTTP/1.0\r\n' +
++                      'Content-Length: 100\r\n\r\n' +
++                      'bye HTTP/1.1\r\n' +
++                      'Host: {0}:{1}\r\n'.format(ADDR, PORT) +
++                      'Accept-Encoding: identity\r\n' +
++                      'Content-Length: 0\r\n\r\n').encode('ascii'))
++
+ 
+ class SimpleServerEncodingTestCase(BaseServerTestCase):
+     @staticmethod

python-base.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu May  2 08:40:33 CEST 2019 - Matej Cepl <mcepl@suse.com>
+
+- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch
+  Address the issue by disallowing URL paths with embedded
+  whitespace or control characters through into the underlying
+  http client request. Such potentially malicious header
+  injection URLs now cause a ValueError to be raised.
+
 -------------------------------------------------------------------
 Mon Apr  8 22:40:01 CEST 2019 - Matej Cepl <mcepl@suse.com>
 

python-base.spec

@@ -78,6 +78,9 @@ Patch51:        CVE-2019-9636-netloc-no-decompose-characters.patch
 # PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com
 # removing unnecessary (and potentially harmful) URL scheme local-file://
 Patch52:        CVE-2019-9948-avoid_local-file.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 mcepl@suse.com
+# bpo#30458: Disallow control chars in http URLs.
+Patch53:        CVE-2019-9947-no-ctrl-char-http.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@@ -191,6 +194,7 @@ other applications.
 %patch50 -p1
 %patch51 -p1
 %patch52 -p1
+%patch53 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac

python-doc.spec

@@ -78,6 +78,9 @@ Patch51:        CVE-2019-9636-netloc-no-decompose-characters.patch
 # PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com
 # removing unnecessary (and potentially harmful) URL scheme local-file://
 Patch52:        CVE-2019-9948-avoid_local-file.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 mcepl@suse.com
+# bpo#30458: Disallow control chars in http URLs.
+Patch53:        CVE-2019-9947-no-ctrl-char-http.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc
 Provides:       pyth_ps
@@ -137,6 +140,7 @@ Python, and Macintosh Module Reference in PDF format.
 %patch50 -p1
 %patch51 -p1
 %patch52 -p1
+%patch53 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac

python.spec

@@ -83,6 +83,9 @@ Patch51:        CVE-2019-9636-netloc-no-decompose-characters.patch
 # PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 mcepl@suse.com
 # removing unnecessary (and potentially harmful) URL scheme local-file://
 Patch52:        CVE-2019-9948-avoid_local-file.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 mcepl@suse.com
+# bpo#30458: Disallow control chars in http URLs.
+Patch53:        CVE-2019-9947-no-ctrl-char-http.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -243,6 +246,7 @@ that rely on earlier non-verification behavior.
 %patch50 -p1
 %patch51 -p1
 %patch52 -p1
+%patch53 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac