From f5ffed7eba273e58eda445fdecdd3ed1a05c683723b29499639ac8673d0190b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tchvatal@suse.com>
Date: Wed, 9 Oct 2019 10:17:50 +0000
Subject: [PATCH] Accepting request 736435 from
 home:mcepl:branches:devel:languages:python:Factory

- Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing
  bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in
  python/Lib/DocXMLRPCServer.py

OBS-URL: https://build.opensuse.org/request/show/736435
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=253
---
 CVE-2019-16935-xmlrpc-doc-server_title.patch | 76 ++++++++++++++++++++
 python-base.changes                          |  7 ++
 python-base.spec                             |  4 ++
 python-doc.spec                              |  5 ++
 python.spec                                  |  5 ++
 5 files changed, 97 insertions(+)
 create mode 100644 CVE-2019-16935-xmlrpc-doc-server_title.patch

diff --git a/CVE-2019-16935-xmlrpc-doc-server_title.patch b/CVE-2019-16935-xmlrpc-doc-server_title.patch
new file mode 100644
index 0000000..0eaeb53
--- /dev/null
+++ b/CVE-2019-16935-xmlrpc-doc-server_title.patch
@@ -0,0 +1,76 @@
+From b41cde823d026f2adc21ef14b1c2e92b1006de06 Mon Sep 17 00:00:00 2001
+From: Dong-hee Na <donghee.na92@gmail.com>
+Date: Sat, 28 Sep 2019 10:17:25 +0900
+Subject: [PATCH 1/3] [2.7] bpo-38243: Escape the server title of
+ DocXMLRPCServer when rendering
+
+--- a/Lib/DocXMLRPCServer.py
++++ b/Lib/DocXMLRPCServer.py
+@@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXM
+             CGIXMLRPCRequestHandler,
+             resolve_dotted_attribute)
+ 
++
++def _html_escape_quote(s):
++    s = s.replace("&", "&amp;") # Must be done first!
++    s = s.replace("<", "&lt;")
++    s = s.replace(">", "&gt;")
++    s = s.replace('"', "&quot;")
++    s = s.replace('\'', "&#x27;")
++    return s
++
++
+ class ServerHTMLDoc(pydoc.HTMLDoc):
+     """Class used to generate pydoc HTML document for a server"""
+ 
+@@ -210,7 +220,8 @@ class XMLRPCDocGenerator:
+                                 methods
+                             )
+ 
+-        return documenter.page(self.server_title, documentation)
++        title = _html_escape_quote(self.server_title)
++        return documenter.page(title, documentation)
+ 
+ class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
+     """XML-RPC and documentation request handler class.
+--- a/Lib/test/test_docxmlrpc.py
++++ b/Lib/test/test_docxmlrpc.py
+@@ -1,5 +1,6 @@
+ from DocXMLRPCServer import DocXMLRPCServer
+ import httplib
++import re
+ import sys
+ from test import test_support
+ threading = test_support.import_module('threading')
+@@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.Te
+         self.assertIn("""Try&nbsp;self.<strong>add</strong>,&nbsp;too.""",
+                       response.read())
+ 
++    def test_server_title_escape(self):
++        """Test that the server title and documentation
++        are escaped for HTML.
++        """
++        self.serv.set_server_title('test_title<script>')
++        self.serv.set_server_documentation('test_documentation<script>')
++        self.assertEqual('test_title<script>', self.serv.server_title)
++        self.assertEqual('test_documentation<script>',
++                self.serv.server_documentation)
++
++        generated = self.serv.generate_html_documentation()
++        title = re.search(r'<title>(.+?)</title>', generated).group()
++        documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
++        self.assertEqual('<title>Python: test_title&lt;script&gt;</title>',
++                title)
++        self.assertEqual('<p><tt>test_documentation&lt;script&gt;</tt></p>',
++                documentation)
++
++
+ def test_main():
+     test_support.run_unittest(DocXMLRPCHTTPGETServer)
+ 
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+@@ -0,0 +1,3 @@
++Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer`
++when rendering the document page as HTML.
++(Contributed by Dong-hee Na in :issue:`38243`.)
diff --git a/python-base.changes b/python-base.changes
index 41a3322..f361373 100644
--- a/python-base.changes
+++ b/python-base.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Oct  8 19:46:52 CEST 2019 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing
+  bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in
+  python/Lib/DocXMLRPCServer.py
+
 -------------------------------------------------------------------
 Wed Sep 25 13:25:33 UTC 2019 - Bernhard Wiedemann <bwiedemann@suse.com>
 
diff --git a/python-base.spec b/python-base.spec
index 6cfdfc4..96f5311 100644
--- a/python-base.spec
+++ b/python-base.spec
@@ -86,6 +86,9 @@ Patch53:        CVE-2019-9947-no-ctrl-char-http.patch
 Patch54:        CVE-2018-20852-cookie-domain-check.patch
 # PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341
 Patch55:        bpo36302-sort-module-sources.patch
+# PATCH-FIX-UPSTREAM CVE-2019-16935-xmlrpc-doc-server_title.patch bsc#1153238 mcepl@suse.com
+# XSS vulnerability in the documentation XML-RPC server in server_title field
+Patch56:        CVE-2019-16935-xmlrpc-doc-server_title.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@@ -202,6 +205,7 @@ other applications.
 %patch53 -p1
 %patch54 -p1
 %patch55 -p1
+%patch56 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
diff --git a/python-doc.spec b/python-doc.spec
index 6114f15..e438c1b 100644
--- a/python-doc.spec
+++ b/python-doc.spec
@@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
+
 Name:           python-doc
 Version:        2.7.16
 Release:        0
@@ -85,6 +86,9 @@ Patch53:        CVE-2019-9947-no-ctrl-char-http.patch
 Patch54:        CVE-2018-20852-cookie-domain-check.patch
 # PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341
 Patch55:        bpo36302-sort-module-sources.patch
+# PATCH-FIX-UPSTREAM CVE-2019-16935-xmlrpc-doc-server_title.patch bsc#1153238 mcepl@suse.com
+# XSS vulnerability in the documentation XML-RPC server in server_title field
+Patch56:        CVE-2019-16935-xmlrpc-doc-server_title.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc
 Provides:       pyth_ps
@@ -147,6 +151,7 @@ Python, and Macintosh Module Reference in PDF format.
 %patch53 -p1
 %patch54 -p1
 %patch55 -p1
+%patch56 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
diff --git a/python.spec b/python.spec
index f86919b..a166c98 100644
--- a/python.spec
+++ b/python.spec
@@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
+
 Name:           python
 Version:        2.7.16
 Release:        0
@@ -90,6 +91,9 @@ Patch53:        CVE-2019-9947-no-ctrl-char-http.patch
 Patch54:        CVE-2018-20852-cookie-domain-check.patch
 # PATCH-FIX-UPSTREAM https://github.com/python/cpython/pull/12341
 Patch55:        bpo36302-sort-module-sources.patch
+# PATCH-FIX-UPSTREAM CVE-2019-16935-xmlrpc-doc-server_title.patch bsc#1153238 mcepl@suse.com
+# XSS vulnerability in the documentation XML-RPC server in server_title field
+Patch56:        CVE-2019-16935-xmlrpc-doc-server_title.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -252,6 +256,7 @@ that rely on earlier non-verification behavior.
 %patch53 -p1
 %patch54 -p1
 %patch55 -p1
+%patch56 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac