diff options
Diffstat (limited to 'system/python3/CVE-2019-18348.patch')
-rw-r--r-- | system/python3/CVE-2019-18348.patch | 147 |
1 files changed, 0 insertions, 147 deletions
diff --git a/system/python3/CVE-2019-18348.patch b/system/python3/CVE-2019-18348.patch deleted file mode 100644 index 9ebb963a8..000000000 --- a/system/python3/CVE-2019-18348.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 83fc70159b24f5b11a5ef87c9b05c2cf4c7faeba Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Sat, 14 Mar 2020 15:35:52 -0700 -Subject: [PATCH] bpo-38576: Disallow control characters in hostnames in - http.client (GH-18995) (GH-19002) - -Add host validation for control characters for more CVE-2019-18348 protection. -(cherry picked from commit 9165addc22d05e776a54319a8531ebd0b2fe01ef) - -Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com> ---- - Lib/http/client.py | 10 ++++++ - Lib/test/test_httplib.py | 13 ++++++- - Lib/test/test_urllib.py | 36 +++++++++++++++++-- - .../2020-03-14-14-57-44.bpo-38576.OowwQn.rst | 1 + - 4 files changed, 57 insertions(+), 3 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2020-03-14-14-57-44.bpo-38576.OowwQn.rst - -diff --git a/Lib/http/client.py b/Lib/http/client.py -index d4821f1a96e07..c0ac7db6f40a0 100644 ---- a/Lib/http/client.py -+++ b/Lib/http/client.py -@@ -858,6 +858,8 @@ def __init__(self, host, port=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT, - - (self.host, self.port) = self._get_hostport(host, port) - -+ self._validate_host(self.host) -+ - # This is stored as an instance variable to allow unit - # tests to replace it with a suitable mockup - self._create_connection = socket.create_connection -@@ -1215,6 +1217,14 @@ def _validate_path(self, url): - raise InvalidURL(f"URL can't contain control characters. {url!r} " - f"(found at least {match.group()!r})") - -+ def _validate_host(self, host): -+ """Validate a host so it doesn't contain control characters.""" -+ # Prevent CVE-2019-18348. -+ match = _contains_disallowed_url_pchar_re.search(host) -+ if match: -+ raise InvalidURL(f"URL can't contain control characters. {host!r} " -+ f"(found at least {match.group()!r})") -+ - def putheader(self, header, *values): - """Send a request header line to the server. - -diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py -index 14d42d483773c..fcd9231666ede 100644 ---- a/Lib/test/test_httplib.py -+++ b/Lib/test/test_httplib.py -@@ -1132,7 +1132,7 @@ def run_server(): - thread.join() - self.assertEqual(result, b"proxied data\n") - -- def test_putrequest_override_validation(self): -+ def test_putrequest_override_domain_validation(self): - """ - It should be possible to override the default validation - behavior in putrequest (bpo-38216). -@@ -1145,6 +1145,17 @@ def _validate_path(self, url): - conn.sock = FakeSocket('') - conn.putrequest('GET', '/\x00') - -+ def test_putrequest_override_host_validation(self): -+ class UnsafeHTTPConnection(client.HTTPConnection): -+ def _validate_host(self, url): -+ pass -+ -+ conn = UnsafeHTTPConnection('example.com\r\n') -+ conn.sock = FakeSocket('') -+ # set skip_host so a ValueError is not raised upon adding the -+ # invalid URL as the value of the "Host:" header -+ conn.putrequest('GET', '/', skip_host=1) -+ - def test_putrequest_override_encoding(self): - """ - It should be possible to override the default encoding -diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py -index 0061a5297cb35..ddf425fd8d4b5 100644 ---- a/Lib/test/test_urllib.py -+++ b/Lib/test/test_urllib.py -@@ -331,7 +331,7 @@ def test_willclose(self): - self.unfakehttp() - - @unittest.skipUnless(ssl, "ssl module required") -- def test_url_with_control_char_rejected(self): -+ def test_url_path_with_control_char_rejected(self): - for char_no in list(range(0, 0x21)) + [0x7f]: - char = chr(char_no) - schemeless_url = f"//localhost:7777/test{char}/" -@@ -358,7 +358,7 @@ def test_url_with_control_char_rejected(self): - self.unfakehttp() - - @unittest.skipUnless(ssl, "ssl module required") -- def test_url_with_newline_header_injection_rejected(self): -+ def test_url_path_with_newline_header_injection_rejected(self): - self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.") - host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123" - schemeless_url = "//" + host + ":8080/test/?test=a" -@@ -383,6 +383,38 @@ def test_url_with_newline_header_injection_rejected(self): - finally: - self.unfakehttp() - -+ @unittest.skipUnless(ssl, "ssl module required") -+ def test_url_host_with_control_char_rejected(self): -+ for char_no in list(range(0, 0x21)) + [0x7f]: -+ char = chr(char_no) -+ schemeless_url = f"//localhost{char}/test/" -+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.") -+ try: -+ escaped_char_repr = repr(char).replace('\\', r'\\') -+ InvalidURL = http.client.InvalidURL -+ with self.assertRaisesRegex( -+ InvalidURL, f"contain control.*{escaped_char_repr}"): -+ urlopen(f"http:{schemeless_url}") -+ with self.assertRaisesRegex(InvalidURL, f"contain control.*{escaped_char_repr}"): -+ urlopen(f"https:{schemeless_url}") -+ finally: -+ self.unfakehttp() -+ -+ @unittest.skipUnless(ssl, "ssl module required") -+ def test_url_host_with_newline_header_injection_rejected(self): -+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.") -+ host = "localhost\r\nX-injected: header\r\n" -+ schemeless_url = "//" + host + ":8080/test/?test=a" -+ try: -+ InvalidURL = http.client.InvalidURL -+ with self.assertRaisesRegex( -+ InvalidURL, r"contain control.*\\r"): -+ urlopen(f"http:{schemeless_url}") -+ with self.assertRaisesRegex(InvalidURL, r"contain control.*\\n"): -+ urlopen(f"https:{schemeless_url}") -+ finally: -+ self.unfakehttp() -+ - def test_read_0_9(self): - # "0.9" response accepted (but not "simple responses" without - # a status line) -diff --git a/Misc/NEWS.d/next/Security/2020-03-14-14-57-44.bpo-38576.OowwQn.rst b/Misc/NEWS.d/next/Security/2020-03-14-14-57-44.bpo-38576.OowwQn.rst -new file mode 100644 -index 0000000000000..34b8af28988fa ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2020-03-14-14-57-44.bpo-38576.OowwQn.rst -@@ -0,0 +1 @@ -+Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. -\ No newline at end of file |