Djam/python38
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/python38.git synced 2025-02-23 15:22:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix CVE-2019-16056, CVE-2019-16935 and race in test_docxmlrpc

Browse source 
https://usn.ubuntu.com/4151-1/
* SECURITY UPDATE: incorrect email address parsing
- CVE-2019-16056.patch: don't parse domains containing @ in
  Lib/email/_header_value_parser.py, Lib/email/_parseaddr.py,
  Lib/test/test_email/test__header_value_parser.py,
  Lib/test/test_email/test_email.py.
* SECURITY UPDATE: XSS in documentation XML-RPC server
- CVE-2019-16935.patch: escape the server_title in Lib/xmlrpc/server.py, Lib/test/test_docxmlrpc.py.
* avoid_test_docxmlrpc_race.patch: avoid race in
  test_docxmlrpc server setup in Lib/test/test_docxmlrpc.py.
This commit is contained in:
Mikhail Novosyolov 2019-10-10 01:30:49 +03:00
parent a4135e32d2
commit 8058c8b2db
4 changed files with 277 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

107
CVE-2019-16056.patch Normal file
View file

@ -0,0 +1,107 @@
From 063eba280a11d3c9a5dd9ee5abe4de640907951b Mon Sep 17 00:00:00 2001
From: Abhilash Raj <maxking@users.noreply.github.com>
Date: Fri, 6 Sep 2019 22:24:05 -0700
Subject: [PATCH] [3.5] bpo-34155: Dont parse domains containing @ (GH-13079)
(#15317)
https://bugs.python.org/issue34155
(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9)
Co-authored-by: jpic <jpic@users.noreply.github.com>
---
Lib/email/_header_value_parser.py | 2 ++
Lib/email/_parseaddr.py | 11 ++++++++++-
Lib/test/test_email/test__header_value_parser.py | 10 ++++++++++
Lib/test/test_email/test_email.py | 14 ++++++++++++++
.../2019-05-04-13-33-37.bpo-34155.MJll68.rst | 1 +
5 files changed, 37 insertions(+), 1 deletion(-)
create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
Index: python3.5-3.5.2/Lib/email/_header_value_parser.py
===================================================================
--- python3.5-3.5.2.orig/Lib/email/_header_value_parser.py 2019-10-07 09:01:59.365357330 -0400
+++ python3.5-3.5.2/Lib/email/_header_value_parser.py 2019-10-07 09:01:59.361357315 -0400
@@ -1966,6 +1966,8 @@ def get_domain(value):
token, value = get_dot_atom(value)
except errors.HeaderParseError:
token, value = get_atom(value)
+ if value and value[0] == '@':
+ raise errors.HeaderParseError('Invalid Domain')
if leader is not None:
token[:0] = [leader]
domain.append(token)
Index: python3.5-3.5.2/Lib/email/_parseaddr.py
===================================================================
--- python3.5-3.5.2.orig/Lib/email/_parseaddr.py 2019-10-07 09:01:59.365357330 -0400
+++ python3.5-3.5.2/Lib/email/_parseaddr.py 2019-10-07 09:01:59.361357315 -0400
@@ -379,7 +379,12 @@ class AddrlistClass:
aslist.append('@')
self.pos += 1
self.gotonext()
- return EMPTYSTRING.join(aslist) + self.getdomain()
+ domain = self.getdomain()
+ if not domain:
+ # Invalid domain, return an empty address instead of returning a
+ # local part to denote failed parsing.
+ return EMPTYSTRING
+ return EMPTYSTRING.join(aslist) + domain
def getdomain(self):
"""Get the complete domain name from an address."""
@@ -394,6 +399,10 @@ class AddrlistClass:
elif self.field[self.pos] == '.':
self.pos += 1
sdlist.append('.')
+ elif self.field[self.pos] == '@':
+ # bpo-34155: Don't parse domains with two `@` like
+ # `a@malicious.org@important.com`.
+ return EMPTYSTRING
elif self.field[self.pos] in self.atomends:
break
else:
Index: python3.5-3.5.2/Lib/test/test_email/test__header_value_parser.py
===================================================================
--- python3.5-3.5.2.orig/Lib/test/test_email/test__header_value_parser.py 2019-10-07 09:01:59.365357330 -0400
+++ python3.5-3.5.2/Lib/test/test_email/test__header_value_parser.py 2019-10-07 09:01:59.361357315 -0400
@@ -1418,6 +1418,16 @@ class TestParser(TestParserMixin, TestEm
self.assertEqual(addr_spec.domain, 'example.com')
self.assertEqual(addr_spec.addr_spec, 'star.a.star@example.com')
+ def test_get_addr_spec_multiple_domains(self):
+ with self.assertRaises(errors.HeaderParseError):
+ parser.get_addr_spec('star@a.star@example.com')
+
+ with self.assertRaises(errors.HeaderParseError):
+ parser.get_addr_spec('star@a@example.com')
+
+ with self.assertRaises(errors.HeaderParseError):
+ parser.get_addr_spec('star@172.17.0.1@example.com')
+
# get_obs_route
def test_get_obs_route_simple(self):
Index: python3.5-3.5.2/Lib/test/test_email/test_email.py
===================================================================
--- python3.5-3.5.2.orig/Lib/test/test_email/test_email.py 2019-10-07 09:01:59.365357330 -0400
+++ python3.5-3.5.2/Lib/test/test_email/test_email.py 2019-10-07 09:01:59.361357315 -0400
@@ -2999,6 +2999,20 @@ class TestMiscellaneous(TestEmailBase):
self.assertEqual(utils.parseaddr('<>'), ('', ''))
self.assertEqual(utils.formataddr(utils.parseaddr('<>')), '')
+ def test_parseaddr_multiple_domains(self):
+ self.assertEqual(
+ utils.parseaddr('a@b@c'),
+ ('', '')
+ )
+ self.assertEqual(
+ utils.parseaddr('a@b.c@c'),
+ ('', '')
+ )
+ self.assertEqual(
+ utils.parseaddr('a@172.17.0.1@c'),
+ ('', '')
+ )
+
def test_noquote_dump(self):
self.assertEqual(
utils.formataddr(('A Silly Person', 'person@dom.ain')),

71
CVE-2019-16935.patch Normal file
View file

@ -0,0 +1,71 @@
From 1698cacfb924d1df452e78d11a4bf81ae7777389 Mon Sep 17 00:00:00 2001
From: Victor Stinner <vstinner@redhat.com>
Date: Sat, 28 Sep 2019 09:33:00 +0200
Subject: [PATCH] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
(GH-16441)
Escape the server title of xmlrpc.server.DocXMLRPCServer
when rendering the document page as HTML.
(cherry picked from commit e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa)
---
Lib/test/test_docxmlrpc.py | 16 ++++++++++++++++
Lib/xmlrpc/server.py | 3 ++-
.../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++
3 files changed, 21 insertions(+), 1 deletion(-)
create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
Index: python3.5-3.5.2/Lib/test/test_docxmlrpc.py
===================================================================
--- python3.5-3.5.2.orig/Lib/test/test_docxmlrpc.py 2019-10-07 09:02:07.977389134 -0400
+++ python3.5-3.5.2/Lib/test/test_docxmlrpc.py 2019-10-07 09:02:07.969389105 -0400
@@ -1,5 +1,6 @@
from xmlrpc.server import DocXMLRPCServer
import http.client
+import re
import sys
from test import support
threading = support.import_module('threading')
@@ -212,6 +213,21 @@ class DocXMLRPCHTTPGETServer(unittest.Te
b'method_annotation</strong></a>(x: bytes)</dt></dl>'),
response.read())
+ def test_server_title_escape(self):
+ # bpo-38243: Ensure that the server title and documentation
+ # are escaped for HTML.
+ self.serv.set_server_title('test_title<script>')
+ self.serv.set_server_documentation('test_documentation<script>')
+ self.assertEqual('test_title<script>', self.serv.server_title)
+ self.assertEqual('test_documentation<script>',
+ self.serv.server_documentation)
+
+ generated = self.serv.generate_html_documentation()
+ title = re.search(r'<title>(.+?)</title>', generated).group()
+ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
+ self.assertEqual('<title>Python: test_title&lt;script&gt;</title>', title)
+ self.assertEqual('<p><tt>test_documentation&lt;script&gt;</tt></p>', documentation)
+
if __name__ == '__main__':
unittest.main()
Index: python3.5-3.5.2/Lib/xmlrpc/server.py
===================================================================
--- python3.5-3.5.2.orig/Lib/xmlrpc/server.py 2019-10-07 09:02:07.977389134 -0400
+++ python3.5-3.5.2/Lib/xmlrpc/server.py 2019-10-07 09:02:07.969389105 -0400
@@ -106,6 +106,7 @@ server.handle_request()
from xmlrpc.client import Fault, dumps, loads, gzip_encode, gzip_decode
from http.server import BaseHTTPRequestHandler
+import html
import http.server
import socketserver
import sys
@@ -887,7 +888,7 @@ class XMLRPCDocGenerator:
methods
)
- return documenter.page(self.server_title, documentation)
+ return documenter.page(html.escape(self.server_title), documentation)
class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
"""XML-RPC and documentation request handler class.

94
avoid_test_docxmlrpc_race.patch Normal file
View file

@ -0,0 +1,94 @@
# HG changeset patch
# User Martin Panter <vadmium+py@gmail.com>
# Date 1471675858 0
# Node ID 397f0504417207f02b611092f444b5a24d3d1a41
# Parent 7ddbc22639435d234609181a14cba7182c58df5e
Issue #27614: Avoid race in test_docxmlrpc server setup
Index: python3.5-3.5.2/Lib/test/test_docxmlrpc.py
===================================================================
--- python3.5-3.5.2.orig/Lib/test/test_docxmlrpc.py 2019-10-08 09:06:31.993379083 -0400
+++ python3.5-3.5.2/Lib/test/test_docxmlrpc.py 2019-10-08 09:06:31.989379062 -0400
@@ -4,12 +4,8 @@ import re
import sys
from test import support
threading = support.import_module('threading')
-import time
-import socket
import unittest
-PORT = None
-
def make_request_and_skipIf(condition, reason):
# If we skip the test, we have to make a request because
# the server created in setUp blocks expecting one to come in.
@@ -24,13 +20,10 @@ def make_request_and_skipIf(condition, r
return decorator
-def server(evt, numrequests):
+def make_server():
serv = DocXMLRPCServer(("localhost", 0), logRequests=False)
try:
- global PORT
- PORT = serv.socket.getsockname()[1]
-
# Add some documentation
serv.set_server_title("DocXMLRPCServer Test Documentation")
serv.set_server_name("DocXMLRPCServer Test Docs")
@@ -67,43 +60,31 @@ def server(evt, numrequests):
serv.register_function(lambda x, y: x-y)
serv.register_function(annotation)
serv.register_instance(ClassWithAnnotation())
-
- while numrequests > 0:
- serv.handle_request()
- numrequests -= 1
- except socket.timeout:
- pass
- finally:
+ return serv
+ except:
serv.server_close()
- PORT = None
- evt.set()
+ raise
class DocXMLRPCHTTPGETServer(unittest.TestCase):
def setUp(self):
- self._threads = support.threading_setup()
# Enable server feedback
DocXMLRPCServer._send_traceback_header = True
- self.evt = threading.Event()
- threading.Thread(target=server, args=(self.evt, 1)).start()
-
- # wait for port to be assigned
- deadline = time.monotonic() + 10.0
- while PORT is None:
- time.sleep(0.010)
- if time.monotonic() > deadline:
- break
+ self.serv = make_server()
+ self.thread = threading.Thread(target=self.serv.serve_forever)
+ self.thread.start()
+ PORT = self.serv.server_address[1]
self.client = http.client.HTTPConnection("localhost:%d" % PORT)
def tearDown(self):
self.client.close()
- self.evt.wait()
-
# Disable server feedback
DocXMLRPCServer._send_traceback_header = False
- support.threading_cleanup(*self._threads)
+ self.serv.shutdown()
+ self.thread.join()
+ self.serv.server_close()
def test_valid_get_response(self):
self.client.request("GET", "/")

6
python3.spec
View file

@ -34,7 +34,7 @@
Summary: An interpreted, interactive object-oriented programming language
Name: python3
Version: 3.5.2
Release: 11
Release: 12
License: Modified CNRI Open Source License
Group: Development/Python
@ -68,6 +68,10 @@ Patch20: Python-select-requires-libm.patch
Patch21: python3-3.4.2-distutils-init.patch
Patch22: python3-3.5.0-make-libpl-respect-lib64.patch
Patch23: CVE-2019-16056.patch
Patch24: CVE-2019-16935.patch
Patch25: avoid_test_docxmlrpc_race.patch
URL: http://www.python.org/
Conflicts: tkinter3 < %{version}
Conflicts: %{lib_name}-devel < 3.4