mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-17 04:37:19 +00:00
python3-urllib3: Fix CVE-2020-26137 and CVE-2021-33503
Add patch to fix CVE-2020-26137 Link: https://ubuntu.com/security/CVE-2020-26137 Link: https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b.patch Add patch to fix CVE-2021-33503 Link: https://ubuntu.com/security/CVE-2021-33503 Link: https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec.patch Signed-off-by: Nikhil R <nikhil.r@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
aa316ee2bb
commit
dbf01a10e2
@@ -0,0 +1,72 @@
|
|||||||
|
From 1dd69c5c5982fae7c87a620d487c2ebf7a6b436b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Seth Michael Larson <sethmichaellarson@gmail.com>
|
||||||
|
Date: Mon, 17 Feb 2020 15:34:48 -0600
|
||||||
|
Subject: [PATCH] Raise ValueError if method contains control characters
|
||||||
|
(#1800)
|
||||||
|
|
||||||
|
CVE: CVE-2020-26137
|
||||||
|
Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b.patch]
|
||||||
|
Signed-off-by: Nikhil R <nikhil.r@kpit.com>
|
||||||
|
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
|
||||||
|
Comment: Removed one hunk in CHANGES.rst and refresh other to remove
|
||||||
|
patch fuzz warnings
|
||||||
|
|
||||||
|
---
|
||||||
|
src/urllib3/connection.py | 14 ++++++++++++++
|
||||||
|
test/with_dummyserver/test_connectionpool.py | 6 ++++++
|
||||||
|
2 files changed, 20 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
|
||||||
|
index 71e6790b1b..f7b1760938 100644
|
||||||
|
--- a/src/urllib3/connection.py
|
||||||
|
+++ b/src/urllib3/connection.py
|
||||||
|
@@ -1,4 +1,5 @@
|
||||||
|
from __future__ import absolute_import
|
||||||
|
+import re
|
||||||
|
import datetime
|
||||||
|
import logging
|
||||||
|
import os
|
||||||
|
@@ -58,6 +59,8 @@ port_by_scheme = {"http": 80, "https": 443}
|
||||||
|
# (ie test_recent_date is failing) update it to ~6 months before the current date.
|
||||||
|
RECENT_DATE = datetime.date(2019, 1, 1)
|
||||||
|
|
||||||
|
+_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
|
||||||
|
+
|
||||||
|
|
||||||
|
class DummyConnection(object):
|
||||||
|
"""Used to detect a failed ConnectionCls import."""
|
||||||
|
@@ -184,6 +187,17 @@ class HTTPConnection(_HTTPConnection, object):
|
||||||
|
conn = self._new_conn()
|
||||||
|
self._prepare_conn(conn)
|
||||||
|
|
||||||
|
+ def putrequest(self, method, url, *args, **kwargs):
|
||||||
|
+ """Send a request to the server"""
|
||||||
|
+ match = _CONTAINS_CONTROL_CHAR_RE.search(method)
|
||||||
|
+ if match:
|
||||||
|
+ raise ValueError(
|
||||||
|
+ "Method cannot contain non-token characters %r (found at least %r)"
|
||||||
|
+ % (method, match.group())
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ return _HTTPConnection.putrequest(self, method, url, *args, **kwargs)
|
||||||
|
+
|
||||||
|
def request_chunked(self, method, url, body=None, headers=None):
|
||||||
|
"""
|
||||||
|
Alternative to the common request method, which sends the
|
||||||
|
diff --git a/test/with_dummyserver/test_connectionpool.py b/test/with_dummyserver/test_connectionpool.py
|
||||||
|
index 57f0dbd2f4..79cbd27185 100644
|
||||||
|
--- a/test/with_dummyserver/test_connectionpool.py
|
||||||
|
+++ b/test/with_dummyserver/test_connectionpool.py
|
||||||
|
@@ -677,6 +677,12 @@ class TestConnectionPool(HTTPDummyServerTestCase):
|
||||||
|
with pytest.raises(MaxRetryError):
|
||||||
|
pool.request("GET", "/test", retries=2)
|
||||||
|
|
||||||
|
+ @pytest.mark.parametrize("char", [" ", "\r", "\n", "\x00"])
|
||||||
|
+ def test_invalid_method_not_allowed(self, char):
|
||||||
|
+ with pytest.raises(ValueError):
|
||||||
|
+ with HTTPConnectionPool(self.host, self.port) as pool:
|
||||||
|
+ pool.request("GET" + char, "/")
|
||||||
|
+
|
||||||
|
def test_percent_encode_invalid_target_chars(self):
|
||||||
|
with HTTPConnectionPool(self.host, self.port) as pool:
|
||||||
|
r = pool.request("GET", "/echo_params?q=\r&k=\n \n")
|
||||||
@@ -0,0 +1,67 @@
|
|||||||
|
From 2d4a3fee6de2fa45eb82169361918f759269b4ec Mon Sep 17 00:00:00 2001
|
||||||
|
From: Seth Michael Larson <sethmichaellarson@gmail.com>
|
||||||
|
Date: Wed, 26 May 2021 10:43:12 -0500
|
||||||
|
Subject: [PATCH] Improve performance of sub-authority splitting in URL
|
||||||
|
|
||||||
|
CVE: CVE-2021-33503
|
||||||
|
Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec.patch]
|
||||||
|
Signed-off-by: Nikhil R <nikhil.r@kpit.com>
|
||||||
|
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
|
||||||
|
Comment: Refresh hunks to remove patch fuzz warnings
|
||||||
|
|
||||||
|
---
|
||||||
|
src/urllib3/util/url.py | 8 +++++---
|
||||||
|
test/test_util.py | 10 ++++++++++
|
||||||
|
2 files changed, 15 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
|
||||||
|
index 6ff238fe3c..81a03da9e3 100644
|
||||||
|
--- a/src/urllib3/util/url.py
|
||||||
|
+++ b/src/urllib3/util/url.py
|
||||||
|
@@ -63,12 +63,12 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$")
|
||||||
|
BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$")
|
||||||
|
ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$")
|
||||||
|
|
||||||
|
-SUBAUTHORITY_PAT = (u"^(?:(.*)@)?(%s|%s|%s)(?::([0-9]{0,5}))?$") % (
|
||||||
|
+_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % (
|
||||||
|
REG_NAME_PAT,
|
||||||
|
IPV4_PAT,
|
||||||
|
IPV6_ADDRZ_PAT,
|
||||||
|
)
|
||||||
|
-SUBAUTHORITY_RE = re.compile(SUBAUTHORITY_PAT, re.UNICODE | re.DOTALL)
|
||||||
|
+_HOST_PORT_RE = re.compile(_HOST_PORT_PAT, re.UNICODE | re.DOTALL)
|
||||||
|
|
||||||
|
UNRESERVED_CHARS = set(
|
||||||
|
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-~"
|
||||||
|
@@ -368,7 +368,9 @@ def parse_url(url):
|
||||||
|
scheme = scheme.lower()
|
||||||
|
|
||||||
|
if authority:
|
||||||
|
- auth, host, port = SUBAUTHORITY_RE.match(authority).groups()
|
||||||
|
+ auth, _, host_port = authority.rpartition("@")
|
||||||
|
+ auth = auth or None
|
||||||
|
+ host, port = _HOST_PORT_RE.match(host_port).groups()
|
||||||
|
if auth and normalize_uri:
|
||||||
|
auth = _encode_invalid_chars(auth, USERINFO_CHARS)
|
||||||
|
if port == "":
|
||||||
|
diff --git a/test/test_util.py b/test/test_util.py
|
||||||
|
index a5b68a084b..88409e2d6c 100644
|
||||||
|
--- a/test/test_util.py
|
||||||
|
+++ b/test/test_util.py
|
||||||
|
@@ -425,6 +425,16 @@ class TestUtil(object):
|
||||||
|
query="%0D%0ASET%20test%20failure12%0D%0A:8080/test/?test=a",
|
||||||
|
),
|
||||||
|
),
|
||||||
|
+ # Tons of '@' causing backtracking
|
||||||
|
+ ("https://" + ("@" * 10000) + "[", False),
|
||||||
|
+ (
|
||||||
|
+ "https://user:" + ("@" * 10000) + "example.com",
|
||||||
|
+ Url(
|
||||||
|
+ scheme="https",
|
||||||
|
+ auth="user:" + ("%40" * 9999),
|
||||||
|
+ host="example.com",
|
||||||
|
+ ),
|
||||||
|
+ ),
|
||||||
|
]
|
||||||
|
|
||||||
|
@pytest.mark.parametrize("url, expected_url", url_vulnerabilities)
|
||||||
@@ -8,8 +8,10 @@ SRC_URI[sha256sum] = "f3c5fd51747d450d4dcf6f923c81f78f811aab8205fda64b0aba34a4e4
|
|||||||
|
|
||||||
inherit pypi setuptools3
|
inherit pypi setuptools3
|
||||||
|
|
||||||
SRC_URI += "file://CVE-2020-7212.patch"
|
SRC_URI += "file://CVE-2020-7212.patch \
|
||||||
|
file://CVE-2020-26137.patch \
|
||||||
|
file://CVE-2021-33503.patch \
|
||||||
|
"
|
||||||
RDEPENDS_${PN} += "\
|
RDEPENDS_${PN} += "\
|
||||||
${PYTHON_PN}-certifi \
|
${PYTHON_PN}-certifi \
|
||||||
${PYTHON_PN}-cryptography \
|
${PYTHON_PN}-cryptography \
|
||||||
|
|||||||
Reference in New Issue
Block a user