Accepting request 736435 from home:mcepl:branches:devel:languages:python:Factory

- Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in python/Lib/DocXMLRPCServer.py OBS-URL: https://build.opensuse.org/request/show/736435 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=253
2019-10-09 10:17:50 +00:00 · 2019-10-09 10:17:50 +00:00 · f5ffed7eba
commit f5ffed7eba
parent e4bf1a5dfb
5 changed files with 97 additions and 0 deletions
--- a/CVE-2019-16935-xmlrpc-doc-server_title.patch
+++ b/CVE-2019-16935-xmlrpc-doc-server_title.patch
@ -0,0 +1,76 @@
+From b41cde823d026f2adc21ef14b1c2e92b1006de06 Mon Sep 17 00:00:00 2001
+From: Dong-hee Na <donghee.na92@gmail.com>
+Date: Sat, 28 Sep 2019 10:17:25 +0900
+Subject: [PATCH 1/3] [2.7] bpo-38243: Escape the server title of
+ DocXMLRPCServer when rendering
+
+--- a/Lib/DocXMLRPCServer.py
+++ b/Lib/DocXMLRPCServer.py
+@@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXM
+             CGIXMLRPCRequestHandler,
+             resolve_dotted_attribute)
+ 
+
+def _html_escape_quote(s):
+    s = s.replace("&", "&amp;") # Must be done first!
+    s = s.replace("<", "&lt;")
+    s = s.replace(">", "&gt;")
+    s = s.replace('"', "&quot;")
+    s = s.replace('\'', "&#x27;")
+    return s
+
+
+ class ServerHTMLDoc(pydoc.HTMLDoc):
+     """Class used to generate pydoc HTML document for a server"""
+ 
+@@ -210,7 +220,8 @@ class XMLRPCDocGenerator:
+                                 methods
+                             )
+ 
+-        return documenter.page(self.server_title, documentation)
+        title = _html_escape_quote(self.server_title)
+        return documenter.page(title, documentation)
+ 
+ class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
+     """XML-RPC and documentation request handler class.
+--- a/Lib/test/test_docxmlrpc.py
+++ b/Lib/test/test_docxmlrpc.py
+@@ -1,5 +1,6 @@
+ from DocXMLRPCServer import DocXMLRPCServer
+ import httplib
+import re
+ import sys
+ from test import test_support
+ threading = test_support.import_module('threading')
+@@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.Te
+         self.assertIn("""Try&nbsp;self.<strong>add</strong>,&nbsp;too.""",
+                       response.read())
+ 
+    def test_server_title_escape(self):
+        """Test that the server title and documentation
+        are escaped for HTML.
+        """
+        self.serv.set_server_title('test_title<script>')
+        self.serv.set_server_documentation('test_documentation<script>')
+        self.assertEqual('test_title<script>', self.serv.server_title)
+        self.assertEqual('test_documentation<script>',
+                self.serv.server_documentation)
+
+        generated = self.serv.generate_html_documentation()
+        title = re.search(r'<title>(.+?)</title>', generated).group()
+        documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
+        self.assertEqual('<title>Python: test_title&lt;script&gt;</title>',
+                title)
+        self.assertEqual('<p><tt>test_documentation&lt;script&gt;</tt></p>',
+                documentation)
+
+
+ def test_main():
+     test_support.run_unittest(DocXMLRPCHTTPGETServer)
+ 
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+@@ -0,0 +1,3 @@
+Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer`
+when rendering the document page as HTML.
+(Contributed by Dong-hee Na in :issue:`38243`.)
--- a/python-base.changes
+++ b/python-base.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Oct  8 19:46:52 CEST 2019 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing
+  bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in
+  python/Lib/DocXMLRPCServer.py
+
 -------------------------------------------------------------------
 Wed Sep 25 13:25:33 UTC 2019 - Bernhard Wiedemann <bwiedemann@suse.com>

--- a/python-base.spec
+++ b/python-base.spec
@ -86,6 +86,9 @@ Patch53:        CVE-2019-9947-no-ctrl-char-http.patch
 Patch54:        CVE-2018-20852-cookie-domain-check.patch
 # PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341
 Patch55:        bpo36302-sort-module-sources.patch
+# PATCH-FIX-UPSTREAM CVE-2019-16935-xmlrpc-doc-server_title.patch bsc#1153238 mcepl@suse.com
+# XSS vulnerability in the documentation XML-RPC server in server_title field
+Patch56:        CVE-2019-16935-xmlrpc-doc-server_title.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@ -202,6 +205,7 @@ other applications.
 %patch53 -p1
 %patch54 -p1
 %patch55 -p1
+%patch56 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
--- a/python-doc.spec
+++ b/python-doc.spec
@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #

+
 Name:           python-doc
 Version:        2.7.16
 Release:        0
@ -85,6 +86,9 @@ Patch53:        CVE-2019-9947-no-ctrl-char-http.patch
 Patch54:        CVE-2018-20852-cookie-domain-check.patch
 # PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341
 Patch55:        bpo36302-sort-module-sources.patch
+# PATCH-FIX-UPSTREAM CVE-2019-16935-xmlrpc-doc-server_title.patch bsc#1153238 mcepl@suse.com
+# XSS vulnerability in the documentation XML-RPC server in server_title field
+Patch56:        CVE-2019-16935-xmlrpc-doc-server_title.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc
 Provides:       pyth_ps
@ -147,6 +151,7 @@ Python, and Macintosh Module Reference in PDF format.
 %patch53 -p1
 %patch54 -p1
 %patch55 -p1
+%patch56 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
--- a/python.spec
+++ b/python.spec
@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #

+
 Name:           python
 Version:        2.7.16
 Release:        0
@ -90,6 +91,9 @@ Patch53:        CVE-2019-9947-no-ctrl-char-http.patch
 Patch54:        CVE-2018-20852-cookie-domain-check.patch
 # PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341
 Patch55:        bpo36302-sort-module-sources.patch
+# PATCH-FIX-UPSTREAM CVE-2019-16935-xmlrpc-doc-server_title.patch bsc#1153238 mcepl@suse.com
+# XSS vulnerability in the documentation XML-RPC server in server_title field
+Patch56:        CVE-2019-16935-xmlrpc-doc-server_title.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@ -252,6 +256,7 @@ that rely on earlier non-verification behavior.
 %patch53 -p1
 %patch54 -p1
 %patch55 -p1
+%patch56 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac