pool/python
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8d87a05715
python/CVE-2019-9947-no-ctrl-char-http.patch
Matej Cepl 2f5ed5b585 Accepting request 700428 from home:mcepl:branches:devel:languages:python:Factory 
- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch
  Address the issue by disallowing URL paths with embedded
  whitespace or control characters through into the underlying
  http client request. Such potentially malicious header
  injection URLs now cause a ValueError to be raised.

OBS-URL: https://build.opensuse.org/request/show/700428
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=243
2019-05-03 15:46:24 +00:00

109 lines
4.3 KiB
Diff
Raw Blame History

--- a/Lib/httplib.py
+++ b/Lib/httplib.py
@@ -247,6 +247,15 @@ _MAXHEADERS = 100
_is_legal_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match
_is_illegal_header_value = re.compile(r'\n(?![ \t])|\r(?![ \t\n])').search
+# These characters are not allowed within http URL paths.
+# https://tools.ietf.org/html/rfc3986#section-3.3
+# in order to prevent CVE-2019-9740.
+# We don't restrict chars above \x7f as putrequest() limits us to ASCII.
+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
+# Arguably only these _should_ allowed:
+# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
+# We are more lenient for assumed real world compatibility purposes.
+
# We always set the Content-Length header for these methods because some
# servers will otherwise respond with a 411
_METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
@@ -927,6 +936,9 @@ class HTTPConnection:
self._method = method
if not url:
url = '/'
+ # Prevent CVE-2019-9740.
+ if _contains_disallowed_url_pchar_re.search(url):
+ raise InvalidURL("URL can't contain control characters. {0!r}".format(url))
hdr = '%s %s %s' % (method, url, self._http_vsn_str)
self._output(hdr)
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -2,6 +2,7 @@
import collections
import urllib
+import urllib2
import httplib
import io
import unittest
@@ -13,6 +14,11 @@ import tempfile
from test import test_support
from base64 import b64encode
+try:
+ import ssl
+except ImportError:
+ ssl = None
+
def hexescape(char):
"""Escape char as RFC 2396 specifies"""
@@ -364,6 +370,31 @@ Connection: close
finally:
self.unfakehttp()
+ def test_url_with_newline_header_injection_rejected(self):
+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
+ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
+ schemeless_url = "//" + host + ":8080/test/?test=a"
+ try:
+ # We explicitly test urllib.request.urlopen() instead of the top
+ # level 'def urlopen()' function defined in this... (quite ugly)
+ # test suite. they use different url opening codepaths. plain
+ # urlopen uses FancyURLOpener which goes via a codepath that
+ # calls urllib.parse.quote() on the URL which makes all of the
+ # above attempts at injection within the url _path_ safe.
+ with self.assertRaisesRegexp(httplib.InvalidURL,
+ r"contain control.*\\r"):
+ urllib2.urlopen("http:{0}".format(schemeless_url))
+ if ssl is not None:
+ with self.assertRaisesRegexp(httplib.InvalidURL,
+ r"contain control.*\\n"):
+ urllib2.urlopen("https:{0}".format(schemeless_url))
+ # This code path quotes the URL so there is no injection.
+ resp = urllib.urlopen("http:{0}".format(schemeless_url))
+ self.assertNotIn(' ', resp.geturl())
+ self.assertNotIn('\r', resp.geturl())
+ self.assertNotIn('\n', resp.geturl())
+ finally:
+ self.unfakehttp()
class urlretrieve_FileTests(unittest.TestCase):
"""Test urllib.urlretrieve() on local files"""
--- a/Lib/test/test_xmlrpc.py
+++ b/Lib/test/test_xmlrpc.py
@@ -1,4 +1,5 @@
import base64
+import contextlib
import datetime
import sys
import time
@@ -658,9 +659,14 @@ class SimpleServerTestCase(BaseServerTes
def test_partial_post(self):
# Check that a partial POST doesn't make the server loop: issue #14001.
- conn = httplib.HTTPConnection(ADDR, PORT)
- conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
- conn.close()
+ with contextlib.closing(socket.create_connection((ADDR, PORT))) as conn:
+ conn.send(('POST /RPC2 HTTP/1.0\r\n' +
+ 'Content-Length: 100\r\n\r\n' +
+ 'bye HTTP/1.1\r\n' +
+ 'Host: {0}:{1}\r\n'.format(ADDR, PORT) +
+ 'Accept-Encoding: identity\r\n' +
+ 'Content-Length: 0\r\n\r\n').encode('ascii'))
+
class SimpleServerEncodingTestCase(BaseServerTestCase):
@staticmethod
Reference in New Issue View Git Blame Copy Permalink