wok diff python/stuff/CVE-2011-1521.patch @ rev 10789

Up: slitaz-tools (4.3) - Use source Makefile to install files and so clean up receipt
author Christophe Lincoln <pankso@slitaz.org>
date Wed Jun 01 22:36:01 2011 +0200 (2011-06-01)
parents
children
line diff
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/python/stuff/CVE-2011-1521.patch	Wed Jun 01 22:36:01 2011 +0200
     1.3 @@ -0,0 +1,98 @@
     1.4 +diff -Naur Python-2.7.1.ori/Lib/test/test_urllib2.py Python-2.7.1/Lib/test/test_urllib2.py
     1.5 +--- Python-2.7.1.ori/Lib/test/test_urllib2.py	2010-11-21 21:04:33.000000000 -0800
     1.6 ++++ Python-2.7.1/Lib/test/test_urllib2.py	2011-04-15 05:02:13.278853672 -0700
     1.7 +@@ -969,6 +969,27 @@
     1.8 +             self.assertEqual(count,
     1.9 +                              urllib2.HTTPRedirectHandler.max_redirections)
    1.10 + 
    1.11 ++    def test_invalid_redirect(self):
    1.12 ++        from_url = "http://example.com/a.html"
    1.13 ++        valid_schemes = ['http', 'https', 'ftp']
    1.14 ++        invalid_schemes = ['file', 'imap', 'ldap']
    1.15 ++        schemeless_url = "example.com/b.html"
    1.16 ++        h = urllib2.HTTPRedirectHandler()
    1.17 ++        o = h.parent = MockOpener()
    1.18 ++        req = Request(from_url)
    1.19 ++
    1.20 ++        for scheme in invalid_schemes:
    1.21 ++            invalid_url = scheme + '://' + schemeless_url
    1.22 ++            self.assertRaises(urllib2.HTTPError, h.http_error_302,
    1.23 ++                              req, MockFile(), 302, "Security Loophole",
    1.24 ++                              MockHeaders({"location": invalid_url}))
    1.25 ++
    1.26 ++        for scheme in valid_schemes:
    1.27 ++            valid_url = scheme + '://' + schemeless_url
    1.28 ++            h.http_error_302(req, MockFile(), 302, "That's fine",
    1.29 ++                MockHeaders({"location": valid_url}))
    1.30 ++            self.assertEqual(o.req.get_full_url(), valid_url)
    1.31 ++
    1.32 +     def test_cookie_redirect(self):
    1.33 +         # cookies shouldn't leak into redirected requests
    1.34 +         from cookielib import CookieJar
    1.35 +diff -Naur Python-2.7.1.ori/Lib/test/test_urllib.py Python-2.7.1/Lib/test/test_urllib.py
    1.36 +--- Python-2.7.1.ori/Lib/test/test_urllib.py	2010-11-21 05:34:58.000000000 -0800
    1.37 ++++ Python-2.7.1/Lib/test/test_urllib.py	2011-04-15 05:02:13.278853672 -0700
    1.38 +@@ -161,6 +161,20 @@
    1.39 +         finally:
    1.40 +             self.unfakehttp()
    1.41 + 
    1.42 ++    def test_invalid_redirect(self):
    1.43 ++        # urlopen() should raise IOError for many error codes.
    1.44 ++        self.fakehttp("""HTTP/1.1 302 Found
    1.45 ++Date: Wed, 02 Jan 2008 03:03:54 GMT
    1.46 ++Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e
    1.47 ++Location: file:README
    1.48 ++Connection: close
    1.49 ++Content-Type: text/html; charset=iso-8859-1
    1.50 ++""")
    1.51 ++        try:
    1.52 ++            self.assertRaises(IOError, urllib.urlopen, "http://python.org/")
    1.53 ++        finally:
    1.54 ++            self.unfakehttp()
    1.55 ++
    1.56 +     def test_empty_socket(self):
    1.57 +         # urlopen() raises IOError if the underlying socket does not send any
    1.58 +         # data. (#1680230)
    1.59 +diff -Naur Python-2.7.1.ori/Lib/urllib2.py Python-2.7.1/Lib/urllib2.py
    1.60 +--- Python-2.7.1.ori/Lib/urllib2.py	2010-11-20 03:24:08.000000000 -0800
    1.61 ++++ Python-2.7.1/Lib/urllib2.py	2011-04-15 05:02:13.278853672 -0700
    1.62 +@@ -579,6 +579,17 @@
    1.63 + 
    1.64 +         newurl = urlparse.urljoin(req.get_full_url(), newurl)
    1.65 + 
    1.66 ++        # For security reasons we do not allow redirects to protocols
    1.67 ++        # other than HTTP, HTTPS or FTP.
    1.68 ++        newurl_lower = newurl.lower()
    1.69 ++        if not (newurl_lower.startswith('http://') or
    1.70 ++                newurl_lower.startswith('https://') or
    1.71 ++                newurl_lower.startswith('ftp://')):
    1.72 ++            raise HTTPError(newurl, code,
    1.73 ++                            msg + " - Redirection to url '%s' is not allowed" %
    1.74 ++                            newurl,
    1.75 ++                            headers, fp)
    1.76 ++
    1.77 +         # XXX Probably want to forget about the state of the current
    1.78 +         # request, although that might interact poorly with other
    1.79 +         # handlers that also use handler-specific request attributes
    1.80 +diff -Naur Python-2.7.1.ori/Lib/urllib.py Python-2.7.1/Lib/urllib.py
    1.81 +--- Python-2.7.1.ori/Lib/urllib.py	2010-11-21 21:04:33.000000000 -0800
    1.82 ++++ Python-2.7.1/Lib/urllib.py	2011-04-15 05:02:13.278853672 -0700
    1.83 +@@ -644,6 +644,18 @@
    1.84 +         fp.close()
    1.85 +         # In case the server sent a relative URL, join with original:
    1.86 +         newurl = basejoin(self.type + ":" + url, newurl)
    1.87 ++
    1.88 ++        # For security reasons we do not allow redirects to protocols
    1.89 ++        # other than HTTP, HTTPS or FTP.
    1.90 ++        newurl_lower = newurl.lower()
    1.91 ++        if not (newurl_lower.startswith('http://') or
    1.92 ++                newurl_lower.startswith('https://') or
    1.93 ++                newurl_lower.startswith('ftp://')):
    1.94 ++            raise IOError('redirect error', errcode,
    1.95 ++                          errmsg + " - Redirection to url '%s' is not allowed" %
    1.96 ++                          newurl,
    1.97 ++                          headers)
    1.98 ++
    1.99 +         return self.open(newurl)
   1.100 + 
   1.101 +     def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):