wok-6.x annotate py3k/stuff/CVE-2011-1521.patch @ rev 10797

Up: wireshark to 1.4.7. Security Fix.
author Christopher Rogers <slaxemulator@gmail.com>
date Thu Jun 02 22:49:19 2011 +0000 (2011-06-02)
parents
children
rev   line source
slaxemulator@9619 1 diff -Naur Python-3.2.ori/Doc/library/urllib.request.rst Python-3.2/Doc/library/urllib.request.rst
slaxemulator@9619 2 --- Python-3.2.ori/Doc/library/urllib.request.rst 2011-02-11 03:25:47.000000000 -0800
slaxemulator@9619 3 +++ Python-3.2/Doc/library/urllib.request.rst 2011-04-15 03:49:02.778745379 -0700
slaxemulator@9619 4 @@ -650,6 +650,10 @@
slaxemulator@9619 5 is the case, :exc:`HTTPError` is raised. See :rfc:`2616` for details of the
slaxemulator@9619 6 precise meanings of the various redirection codes.
slaxemulator@9619 7
slaxemulator@9619 8 + An :class:`HTTPError` exception raised as a security consideration if the
slaxemulator@9619 9 + HTTPRedirectHandler is presented with a redirected url which is not an HTTP,
slaxemulator@9619 10 + HTTPS or FTP url.
slaxemulator@9619 11 +
slaxemulator@9619 12
slaxemulator@9619 13 .. method:: HTTPRedirectHandler.redirect_request(req, fp, code, msg, hdrs, newurl)
slaxemulator@9619 14
slaxemulator@9619 15 diff -Naur Python-3.2.ori/Lib/test/test_urllib2.py Python-3.2/Lib/test/test_urllib2.py
slaxemulator@9619 16 --- Python-3.2.ori/Lib/test/test_urllib2.py 2011-02-11 03:25:47.000000000 -0800
slaxemulator@9619 17 +++ Python-3.2/Lib/test/test_urllib2.py 2011-04-15 03:50:29.705417290 -0700
slaxemulator@9619 18 @@ -8,6 +8,7 @@
slaxemulator@9619 19
slaxemulator@9619 20 import urllib.request
slaxemulator@9619 21 from urllib.request import Request, OpenerDirector
slaxemulator@9619 22 +import urllib.error
slaxemulator@9619 23
slaxemulator@9619 24 # XXX
slaxemulator@9619 25 # Request
slaxemulator@9619 26 @@ -1029,6 +1030,29 @@
slaxemulator@9619 27 self.assertEqual(count,
slaxemulator@9619 28 urllib.request.HTTPRedirectHandler.max_redirections)
slaxemulator@9619 29
slaxemulator@9619 30 +
slaxemulator@9619 31 + def test_invalid_redirect(self):
slaxemulator@9619 32 + from_url = "http://example.com/a.html"
slaxemulator@9619 33 + valid_schemes = ['http','https','ftp']
slaxemulator@9619 34 + invalid_schemes = ['file','imap','ldap']
slaxemulator@9619 35 + schemeless_url = "example.com/b.html"
slaxemulator@9619 36 + h = urllib.request.HTTPRedirectHandler()
slaxemulator@9619 37 + o = h.parent = MockOpener()
slaxemulator@9619 38 + req = Request(from_url)
slaxemulator@9619 39 + req.timeout = socket._GLOBAL_DEFAULT_TIMEOUT
slaxemulator@9619 40 +
slaxemulator@9619 41 + for scheme in invalid_schemes:
slaxemulator@9619 42 + invalid_url = scheme + '://' + schemeless_url
slaxemulator@9619 43 + self.assertRaises(urllib.error.HTTPError, h.http_error_302,
slaxemulator@9619 44 + req, MockFile(), 302, "Security Loophole",
slaxemulator@9619 45 + MockHeaders({"location": invalid_url}))
slaxemulator@9619 46 +
slaxemulator@9619 47 + for scheme in valid_schemes:
slaxemulator@9619 48 + valid_url = scheme + '://' + schemeless_url
slaxemulator@9619 49 + h.http_error_302(req, MockFile(), 302, "That's fine",
slaxemulator@9619 50 + MockHeaders({"location": valid_url}))
slaxemulator@9619 51 + self.assertEqual(o.req.get_full_url(), valid_url)
slaxemulator@9619 52 +
slaxemulator@9619 53 def test_cookie_redirect(self):
slaxemulator@9619 54 # cookies shouldn't leak into redirected requests
slaxemulator@9619 55 from http.cookiejar import CookieJar
slaxemulator@9619 56 diff -Naur Python-3.2.ori/Lib/test/test_urllib.py Python-3.2/Lib/test/test_urllib.py
slaxemulator@9619 57 --- Python-3.2.ori/Lib/test/test_urllib.py 2010-12-17 09:35:56.000000000 -0800
slaxemulator@9619 58 +++ Python-3.2/Lib/test/test_urllib.py 2011-04-15 03:49:02.778745379 -0700
slaxemulator@9619 59 @@ -2,6 +2,7 @@
slaxemulator@9619 60
slaxemulator@9619 61 import urllib.parse
slaxemulator@9619 62 import urllib.request
slaxemulator@9619 63 +import urllib.error
slaxemulator@9619 64 import http.client
slaxemulator@9619 65 import email.message
slaxemulator@9619 66 import io
slaxemulator@9619 67 @@ -198,6 +199,21 @@
slaxemulator@9619 68 finally:
slaxemulator@9619 69 self.unfakehttp()
slaxemulator@9619 70
slaxemulator@9619 71 + def test_invalid_redirect(self):
slaxemulator@9619 72 + # urlopen() should raise IOError for many error codes.
slaxemulator@9619 73 + self.fakehttp(b'''HTTP/1.1 302 Found
slaxemulator@9619 74 +Date: Wed, 02 Jan 2008 03:03:54 GMT
slaxemulator@9619 75 +Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e
slaxemulator@9619 76 +Location: file://guidocomputer.athome.com:/python/license
slaxemulator@9619 77 +Connection: close
slaxemulator@9619 78 +Content-Type: text/html; charset=iso-8859-1
slaxemulator@9619 79 +''')
slaxemulator@9619 80 + try:
slaxemulator@9619 81 + self.assertRaises(urllib.error.HTTPError, urlopen,
slaxemulator@9619 82 + "http://python.org/")
slaxemulator@9619 83 + finally:
slaxemulator@9619 84 + self.unfakehttp()
slaxemulator@9619 85 +
slaxemulator@9619 86 def test_empty_socket(self):
slaxemulator@9619 87 # urlopen() raises IOError if the underlying socket does not send any
slaxemulator@9619 88 # data. (#1680230)
slaxemulator@9619 89 diff -Naur Python-3.2.ori/Lib/urllib/request.py Python-3.2/Lib/urllib/request.py
slaxemulator@9619 90 --- Python-3.2.ori/Lib/urllib/request.py 2011-02-11 03:25:47.000000000 -0800
slaxemulator@9619 91 +++ Python-3.2/Lib/urllib/request.py 2011-04-15 03:49:02.778745379 -0700
slaxemulator@9619 92 @@ -545,6 +545,17 @@
slaxemulator@9619 93
slaxemulator@9619 94 # fix a possible malformed URL
slaxemulator@9619 95 urlparts = urlparse(newurl)
slaxemulator@9619 96 +
slaxemulator@9619 97 + # For security reasons we don't allow redirection to anything other
slaxemulator@9619 98 + # than http, https or ftp.
slaxemulator@9619 99 +
slaxemulator@9619 100 + if not urlparts.scheme in ('http', 'https', 'ftp'):
slaxemulator@9619 101 + raise HTTPError(newurl, code,
slaxemulator@9619 102 + msg +
slaxemulator@9619 103 + " - Redirection to url '%s' is not allowed" %
slaxemulator@9619 104 + newurl,
slaxemulator@9619 105 + headers, fp)
slaxemulator@9619 106 +
slaxemulator@9619 107 if not urlparts.path:
slaxemulator@9619 108 urlparts = list(urlparts)
slaxemulator@9619 109 urlparts[2] = "/"
slaxemulator@9619 110 @@ -1897,8 +1908,24 @@
slaxemulator@9619 111 return
slaxemulator@9619 112 void = fp.read()
slaxemulator@9619 113 fp.close()
slaxemulator@9619 114 +
slaxemulator@9619 115 # In case the server sent a relative URL, join with original:
slaxemulator@9619 116 newurl = urljoin(self.type + ":" + url, newurl)
slaxemulator@9619 117 +
slaxemulator@9619 118 + urlparts = urlparse(newurl)
slaxemulator@9619 119 +
slaxemulator@9619 120 + # For security reasons, we don't allow redirection to anything other
slaxemulator@9619 121 + # than http, https and ftp.
slaxemulator@9619 122 +
slaxemulator@9619 123 + # We are using newer HTTPError with older redirect_internal method
slaxemulator@9619 124 + # This older method will get deprecated in 3.3
slaxemulator@9619 125 +
slaxemulator@9619 126 + if not urlparts.scheme in ('http', 'https', 'ftp'):
slaxemulator@9619 127 + raise HTTPError(newurl, errcode,
slaxemulator@9619 128 + errmsg +
slaxemulator@9619 129 + " Redirection to url '%s' is not allowed." % newurl,
slaxemulator@9619 130 + headers, fp)
slaxemulator@9619 131 +
slaxemulator@9619 132 return self.open(newurl)
slaxemulator@9619 133
slaxemulator@9619 134 def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):