wok-next view py3k/stuff/CVE-2011-1521.patch @ rev 10497
eet: up to fix e17 build (1.0.1)
author | Christophe Lincoln <pankso@slitaz.org> |
---|---|
date | Wed May 25 13:58:00 2011 +0200 (2011-05-25) |
parents | |
children |
line source
1 diff -Naur Python-3.2.ori/Doc/library/urllib.request.rst Python-3.2/Doc/library/urllib.request.rst
2 --- Python-3.2.ori/Doc/library/urllib.request.rst 2011-02-11 03:25:47.000000000 -0800
3 +++ Python-3.2/Doc/library/urllib.request.rst 2011-04-15 03:49:02.778745379 -0700
4 @@ -650,6 +650,10 @@
5 is the case, :exc:`HTTPError` is raised. See :rfc:`2616` for details of the
6 precise meanings of the various redirection codes.
8 + An :class:`HTTPError` exception raised as a security consideration if the
9 + HTTPRedirectHandler is presented with a redirected url which is not an HTTP,
10 + HTTPS or FTP url.
11 +
13 .. method:: HTTPRedirectHandler.redirect_request(req, fp, code, msg, hdrs, newurl)
15 diff -Naur Python-3.2.ori/Lib/test/test_urllib2.py Python-3.2/Lib/test/test_urllib2.py
16 --- Python-3.2.ori/Lib/test/test_urllib2.py 2011-02-11 03:25:47.000000000 -0800
17 +++ Python-3.2/Lib/test/test_urllib2.py 2011-04-15 03:50:29.705417290 -0700
18 @@ -8,6 +8,7 @@
20 import urllib.request
21 from urllib.request import Request, OpenerDirector
22 +import urllib.error
24 # XXX
25 # Request
26 @@ -1029,6 +1030,29 @@
27 self.assertEqual(count,
28 urllib.request.HTTPRedirectHandler.max_redirections)
30 +
31 + def test_invalid_redirect(self):
32 + from_url = "http://example.com/a.html"
33 + valid_schemes = ['http','https','ftp']
34 + invalid_schemes = ['file','imap','ldap']
35 + schemeless_url = "example.com/b.html"
36 + h = urllib.request.HTTPRedirectHandler()
37 + o = h.parent = MockOpener()
38 + req = Request(from_url)
39 + req.timeout = socket._GLOBAL_DEFAULT_TIMEOUT
40 +
41 + for scheme in invalid_schemes:
42 + invalid_url = scheme + '://' + schemeless_url
43 + self.assertRaises(urllib.error.HTTPError, h.http_error_302,
44 + req, MockFile(), 302, "Security Loophole",
45 + MockHeaders({"location": invalid_url}))
46 +
47 + for scheme in valid_schemes:
48 + valid_url = scheme + '://' + schemeless_url
49 + h.http_error_302(req, MockFile(), 302, "That's fine",
50 + MockHeaders({"location": valid_url}))
51 + self.assertEqual(o.req.get_full_url(), valid_url)
52 +
53 def test_cookie_redirect(self):
54 # cookies shouldn't leak into redirected requests
55 from http.cookiejar import CookieJar
56 diff -Naur Python-3.2.ori/Lib/test/test_urllib.py Python-3.2/Lib/test/test_urllib.py
57 --- Python-3.2.ori/Lib/test/test_urllib.py 2010-12-17 09:35:56.000000000 -0800
58 +++ Python-3.2/Lib/test/test_urllib.py 2011-04-15 03:49:02.778745379 -0700
59 @@ -2,6 +2,7 @@
61 import urllib.parse
62 import urllib.request
63 +import urllib.error
64 import http.client
65 import email.message
66 import io
67 @@ -198,6 +199,21 @@
68 finally:
69 self.unfakehttp()
71 + def test_invalid_redirect(self):
72 + # urlopen() should raise IOError for many error codes.
73 + self.fakehttp(b'''HTTP/1.1 302 Found
74 +Date: Wed, 02 Jan 2008 03:03:54 GMT
75 +Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e
76 +Location: file://guidocomputer.athome.com:/python/license
77 +Connection: close
78 +Content-Type: text/html; charset=iso-8859-1
79 +''')
80 + try:
81 + self.assertRaises(urllib.error.HTTPError, urlopen,
82 + "http://python.org/")
83 + finally:
84 + self.unfakehttp()
85 +
86 def test_empty_socket(self):
87 # urlopen() raises IOError if the underlying socket does not send any
88 # data. (#1680230)
89 diff -Naur Python-3.2.ori/Lib/urllib/request.py Python-3.2/Lib/urllib/request.py
90 --- Python-3.2.ori/Lib/urllib/request.py 2011-02-11 03:25:47.000000000 -0800
91 +++ Python-3.2/Lib/urllib/request.py 2011-04-15 03:49:02.778745379 -0700
92 @@ -545,6 +545,17 @@
94 # fix a possible malformed URL
95 urlparts = urlparse(newurl)
96 +
97 + # For security reasons we don't allow redirection to anything other
98 + # than http, https or ftp.
99 +
100 + if not urlparts.scheme in ('http', 'https', 'ftp'):
101 + raise HTTPError(newurl, code,
102 + msg +
103 + " - Redirection to url '%s' is not allowed" %
104 + newurl,
105 + headers, fp)
106 +
107 if not urlparts.path:
108 urlparts = list(urlparts)
109 urlparts[2] = "/"
110 @@ -1897,8 +1908,24 @@
111 return
112 void = fp.read()
113 fp.close()
114 +
115 # In case the server sent a relative URL, join with original:
116 newurl = urljoin(self.type + ":" + url, newurl)
117 +
118 + urlparts = urlparse(newurl)
119 +
120 + # For security reasons, we don't allow redirection to anything other
121 + # than http, https and ftp.
122 +
123 + # We are using newer HTTPError with older redirect_internal method
124 + # This older method will get deprecated in 3.3
125 +
126 + if not urlparts.scheme in ('http', 'https', 'ftp'):
127 + raise HTTPError(newurl, errcode,
128 + errmsg +
129 + " Redirection to url '%s' is not allowed." % newurl,
130 + headers, fp)
131 +
132 return self.open(newurl)
134 def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):