Matej Cepl
793c3bb790
(CVE-2019-20907, bpo#39017) avoiding possible infinite loop
in specifically crafted tarball.
Add recursion.tar as a testing tarball for the patch.
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
- Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211
(CVE-2020-26116, bpo#39603) no longer allowing special characters in
the method parameter of HTTPConnection.putrequest in httplib, stopping
injection of headers. Such characters now raise ValueError.
- bsc#1155094 (CVE-2019-18348) Disallow control characters in
hostnames in http.client. Such potentially malicious header
injection URLs now cause a InvalidURL to be raised.
- bsc#1109847 (CVE-2018-14647): add
CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing
bpo-34623.
fixing bpo-35746 (CVE-2019-5010).
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=304
78 lines
2.4 KiB
Diff
78 lines
2.4 KiB
Diff
---
|
|
Lib/httplib.py | 15 +++++++++++++++
|
|
Lib/test/test_httplib.py | 22 +++++++++++++++++++++-
|
|
2 files changed, 36 insertions(+), 1 deletion(-)
|
|
|
|
--- a/Lib/httplib.py
|
|
+++ b/Lib/httplib.py
|
|
@@ -262,6 +262,10 @@ _contains_disallowed_url_pchar_re = re.c
|
|
_METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
|
|
|
|
|
|
+# These characters are not allowed within HTTP method names
|
|
+# to prevent http header injection.
|
|
+_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
|
|
+
|
|
class HTTPMessage(mimetools.Message):
|
|
|
|
def addheader(self, key, value):
|
|
@@ -940,6 +944,8 @@ class HTTPConnection:
|
|
else:
|
|
raise CannotSendRequest()
|
|
|
|
+ self._validate_method(method)
|
|
+
|
|
# Save the method for use later in the response phase
|
|
self._method = method
|
|
|
|
@@ -1179,6 +1185,15 @@ class HTTPConnection:
|
|
response.close()
|
|
raise
|
|
|
|
+ def _validate_method(self, method):
|
|
+ """Validate a method name for putrequest."""
|
|
+ # prevent http header injection
|
|
+ match = _contains_disallowed_method_pchar_re.search(method)
|
|
+ if match:
|
|
+ raise ValueError(
|
|
+ "method can't contain control characters. %r (found at "
|
|
+ "least %r)" % (method, match.group()))
|
|
+
|
|
|
|
class HTTP:
|
|
"Compatibility class with httplib.py from 1.5."
|
|
--- a/Lib/test/test_httplib.py
|
|
+++ b/Lib/test/test_httplib.py
|
|
@@ -1007,10 +1007,30 @@ class TunnelTests(TestCase):
|
|
self.assertTrue('Host: destination.com' in conn.sock.data)
|
|
|
|
|
|
+class HttpMethodTests(TestCase):
|
|
+ def test_invalid_method_names(self):
|
|
+ methods = (
|
|
+ 'GET\r',
|
|
+ 'POST\n',
|
|
+ 'PUT\n\r',
|
|
+ 'POST\nValue',
|
|
+ 'POST\nHOST:abc',
|
|
+ 'GET\nrHost:abc\n',
|
|
+ 'POST\rRemainder:\r',
|
|
+ 'GET\rHOST:\n',
|
|
+ '\nPUT'
|
|
+ )
|
|
+
|
|
+ for method in methods:
|
|
+ conn = httplib.HTTPConnection('example.com')
|
|
+ conn.sock = FakeSocket(None)
|
|
+ self.assertRaises(ValueError, conn.request, method=method, url="/")
|
|
+
|
|
+
|
|
@test_support.reap_threads
|
|
def test_main(verbose=None):
|
|
test_support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest,
|
|
- HTTPTest, HTTPSTest, SourceAddressTest,
|
|
+ HTTPTest, HttpMethodTests, HTTPSTest, SourceAddressTest,
|
|
TunnelTests)
|
|
|
|
if __name__ == '__main__':
|