summaryrefslogtreecommitdiff
path: root/system/python3/CVE-2015-20107.patch
diff options
context:
space:
mode:
Diffstat (limited to 'system/python3/CVE-2015-20107.patch')
-rw-r--r--system/python3/CVE-2015-20107.patch131
1 files changed, 131 insertions, 0 deletions
diff --git a/system/python3/CVE-2015-20107.patch b/system/python3/CVE-2015-20107.patch
new file mode 100644
index 000000000..59cb4d7ed
--- /dev/null
+++ b/system/python3/CVE-2015-20107.patch
@@ -0,0 +1,131 @@
+From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Wed, 27 Apr 2022 18:17:33 +0200
+Subject: [PATCH 1/2] gh-68966: Make mailcap refuse to match unsafe
+ filenames/types/params
+
+---
+ Lib/mailcap.py | 26 ++++++++++++++++++++++++--
+ Lib/test/test_mailcap.py | 8 ++++++--
+ 2 files changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/Lib/mailcap.py b/Lib/mailcap.py
+index 856b6a55475f3..cfb70edc61ecf 100644
+--- a/Lib/mailcap.py
++++ b/Lib/mailcap.py
+@@ -2,6 +2,7 @@
+
+ import os
+ import warnings
++import re
+
+ __all__ = ["getcaps","findmatch"]
+
+@@ -19,6 +20,11 @@ def lineno_sort_key(entry):
+ else:
+ return 1, 0
+
++_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@%+=:,./-]').search
++
++class UnsafeMailcapInput(Warning):
++ """Warning raised when refusing unsafe input"""
++
+
+ # Part 1: top-level interface.
+
+@@ -171,15 +177,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
+ entry to use.
+
+ """
++ if _find_unsafe(filename):
++ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
++ warnings.warn(msg, UnsafeMailcapInput)
++ return None, None
+ entries = lookup(caps, MIMEtype, key)
+ # XXX This code should somehow check for the needsterminal flag.
+ for e in entries:
+ if 'test' in e:
+ test = subst(e['test'], filename, plist)
++ if test is None:
++ continue
+ if test and os.system(test) != 0:
+ continue
+ command = subst(e[key], MIMEtype, filename, plist)
+- return command, e
++ if command is not None:
++ return command, e
+ return None, None
+
+ def lookup(caps, MIMEtype, key=None):
+@@ -212,6 +225,10 @@ def subst(field, MIMEtype, filename, plist=[]):
+ elif c == 's':
+ res = res + filename
+ elif c == 't':
++ if _find_unsafe(MIMEtype):
++ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
++ warnings.warn(msg, UnsafeMailcapInput)
++ return None
+ res = res + MIMEtype
+ elif c == '{':
+ start = i
+@@ -219,7 +236,12 @@ def subst(field, MIMEtype, filename, plist=[]):
+ i = i+1
+ name = field[start:i]
+ i = i+1
+- res = res + findparam(name, plist)
++ param = findparam(name, plist)
++ if _find_unsafe(param):
++ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
++ warnings.warn(msg, UnsafeMailcapInput)
++ return None
++ res = res + param
+ # XXX To do:
+ # %n == number of parts if type is multipart/*
+ # %F == list of alternating type and filename for parts
+diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
+index 97a8fac6e074a..2ed367dba78b7 100644
+--- a/Lib/test/test_mailcap.py
++++ b/Lib/test/test_mailcap.py
+@@ -128,7 +128,8 @@ def test_subst(self):
+ (["", "audio/*", "foo.txt"], ""),
+ (["echo foo", "audio/*", "foo.txt"], "echo foo"),
+ (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
+- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
++ (["echo %t", "audio/*", "foo.txt"], None),
++ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
+ (["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
+ (["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
+ (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
+@@ -212,7 +213,10 @@ def test_findmatch(self):
+ ('"An audio fragment"', audio_basic_entry)),
+ ([c, "audio/*"],
+ {"filename": fname},
+- ("/usr/local/bin/showaudio audio/*", audio_entry)),
++ (None, None)),
++ ([c, "audio/wav"],
++ {"filename": fname},
++ ("/usr/local/bin/showaudio audio/wav", audio_entry)),
+ ([c, "message/external-body"],
+ {"plist": plist},
+ ("showexternal /dev/null default john python.org /tmp foo bar", message_entry))
+
+From 3904f682b6dde32b4f51e7b8c3867e27d13333e0 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Wed, 27 Apr 2022 18:29:35 +0200
+Subject: [PATCH 2/2] Add blurb
+
+---
+ .../Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 ++++
+ 1 file changed, 4 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+
+diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+new file mode 100644
+index 0000000000000..da81a1f6993db
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+@@ -0,0 +1,4 @@
++The deprecated mailcap module now refuses to inject unsafe text (filenames,
++MIME types, parameters) into shell commands. Instead of using such text, it
++will warn and act as if a match was not found (or for test commands, as if
++the test failed).