summaryrefslogtreecommitdiff
path: root/system/python3/CVE-2019-16935.patch
diff options
context:
space:
mode:
authorMax Rees <maxcrees@me.com>2020-03-16 19:40:54 -0500
committerMax Rees <maxcrees@me.com>2020-03-19 22:21:24 -0500
commit789547051d191f170ba4a2712d2060a42fe2fed8 (patch)
treef47f47ada9d312193cb588ae1865355b2e4bb416 /system/python3/CVE-2019-16935.patch
parent44858d9784799f0a00b6d0384143e191d3c53744 (diff)
downloadpackages-789547051d191f170ba4a2712d2060a42fe2fed8.tar.gz
packages-789547051d191f170ba4a2712d2060a42fe2fed8.tar.bz2
packages-789547051d191f170ba4a2712d2060a42fe2fed8.tar.xz
packages-789547051d191f170ba4a2712d2060a42fe2fed8.zip
system/python3: bump to 3.6.10 and patch CVE-2019-18348 (#232)
Diffstat (limited to 'system/python3/CVE-2019-16935.patch')
-rw-r--r--system/python3/CVE-2019-16935.patch80
1 files changed, 0 insertions, 80 deletions
diff --git a/system/python3/CVE-2019-16935.patch b/system/python3/CVE-2019-16935.patch
deleted file mode 100644
index 567eb90fc..000000000
--- a/system/python3/CVE-2019-16935.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 1698cacfb924d1df452e78d11a4bf81ae7777389 Mon Sep 17 00:00:00 2001
-From: Victor Stinner <vstinner@redhat.com>
-Date: Sat, 28 Sep 2019 09:33:00 +0200
-Subject: [PATCH] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
- (GH-16441)
-
-Escape the server title of xmlrpc.server.DocXMLRPCServer
-when rendering the document page as HTML.
-
-(cherry picked from commit e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa)
----
- Lib/test/test_docxmlrpc.py | 16 ++++++++++++++++
- Lib/xmlrpc/server.py | 3 ++-
- .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++
- 3 files changed, 21 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
-
-diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
-index 00903337c07c2..d2adb21af0fb3 100644
---- a/Lib/test/test_docxmlrpc.py
-+++ b/Lib/test/test_docxmlrpc.py
-@@ -1,5 +1,6 @@
- from xmlrpc.server import DocXMLRPCServer
- import http.client
-+import re
- import sys
- from test import support
- threading = support.import_module('threading')
-@@ -193,6 +194,21 @@ def test_annotations(self):
- b'method_annotation</strong></a>(x: bytes)</dt></dl>'),
- response.read())
-
-+ def test_server_title_escape(self):
-+ # bpo-38243: Ensure that the server title and documentation
-+ # are escaped for HTML.
-+ self.serv.set_server_title('test_title<script>')
-+ self.serv.set_server_documentation('test_documentation<script>')
-+ self.assertEqual('test_title<script>', self.serv.server_title)
-+ self.assertEqual('test_documentation<script>',
-+ self.serv.server_documentation)
-+
-+ generated = self.serv.generate_html_documentation()
-+ title = re.search(r'<title>(.+?)</title>', generated).group()
-+ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
-+ self.assertEqual('<title>Python: test_title&lt;script&gt;</title>', title)
-+ self.assertEqual('<p><tt>test_documentation&lt;script&gt;</tt></p>', documentation)
-+
-
- if __name__ == '__main__':
- unittest.main()
-diff --git a/Lib/xmlrpc/server.py b/Lib/xmlrpc/server.py
-index 3e0dca027f068..efe593748968c 100644
---- a/Lib/xmlrpc/server.py
-+++ b/Lib/xmlrpc/server.py
-@@ -106,6 +106,7 @@ def export_add(self, x, y):
-
- from xmlrpc.client import Fault, dumps, loads, gzip_encode, gzip_decode
- from http.server import BaseHTTPRequestHandler
-+import html
- import http.server
- import socketserver
- import sys
-@@ -904,7 +905,7 @@ def generate_html_documentation(self):
- methods
- )
-
-- return documenter.page(self.server_title, documentation)
-+ return documenter.page(html.escape(self.server_title), documentation)
-
- class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
- """XML-RPC and documentation request handler class.
-diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
-new file mode 100644
-index 0000000000000..98d7be129573a
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
-@@ -0,0 +1,3 @@
-+Escape the server title of :class:`xmlrpc.server.DocXMLRPCServer`
-+when rendering the document page as HTML.
-+(Contributed by Dong-hee Na in :issue:`38243`.)