wok diff py3k/stuff/CVE-2011-1521.patch @ rev 10666
passenger: Add apr-util-dev to bdeps.
| author | Christopher Rogers <slaxemulator@gmail.com> |
|---|---|
| date | Fri May 27 03:48:18 2011 +0000 (2011-05-27) |
| parents | |
| children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/py3k/stuff/CVE-2011-1521.patch Fri May 27 03:48:18 2011 +0000 1.3 @@ -0,0 +1,134 @@ 1.4 +diff -Naur Python-3.2.ori/Doc/library/urllib.request.rst Python-3.2/Doc/library/urllib.request.rst 1.5 +--- Python-3.2.ori/Doc/library/urllib.request.rst 2011-02-11 03:25:47.000000000 -0800 1.6 ++++ Python-3.2/Doc/library/urllib.request.rst 2011-04-15 03:49:02.778745379 -0700 1.7 +@@ -650,6 +650,10 @@ 1.8 + is the case, :exc:`HTTPError` is raised. See :rfc:`2616` for details of the 1.9 + precise meanings of the various redirection codes. 1.10 + 1.11 ++ An :class:`HTTPError` exception raised as a security consideration if the 1.12 ++ HTTPRedirectHandler is presented with a redirected url which is not an HTTP, 1.13 ++ HTTPS or FTP url. 1.14 ++ 1.15 + 1.16 + .. method:: HTTPRedirectHandler.redirect_request(req, fp, code, msg, hdrs, newurl) 1.17 + 1.18 +diff -Naur Python-3.2.ori/Lib/test/test_urllib2.py Python-3.2/Lib/test/test_urllib2.py 1.19 +--- Python-3.2.ori/Lib/test/test_urllib2.py 2011-02-11 03:25:47.000000000 -0800 1.20 ++++ Python-3.2/Lib/test/test_urllib2.py 2011-04-15 03:50:29.705417290 -0700 1.21 +@@ -8,6 +8,7 @@ 1.22 + 1.23 + import urllib.request 1.24 + from urllib.request import Request, OpenerDirector 1.25 ++import urllib.error 1.26 + 1.27 + # XXX 1.28 + # Request 1.29 +@@ -1029,6 +1030,29 @@ 1.30 + self.assertEqual(count, 1.31 + urllib.request.HTTPRedirectHandler.max_redirections) 1.32 + 1.33 ++ 1.34 ++ def test_invalid_redirect(self): 1.35 ++ from_url = "http://example.com/a.html" 1.36 ++ valid_schemes = ['http','https','ftp'] 1.37 ++ invalid_schemes = ['file','imap','ldap'] 1.38 ++ schemeless_url = "example.com/b.html" 1.39 ++ h = urllib.request.HTTPRedirectHandler() 1.40 ++ o = h.parent = MockOpener() 1.41 ++ req = Request(from_url) 1.42 ++ req.timeout = socket._GLOBAL_DEFAULT_TIMEOUT 1.43 ++ 1.44 ++ for scheme in invalid_schemes: 1.45 ++ invalid_url = scheme + '://' + schemeless_url 1.46 ++ self.assertRaises(urllib.error.HTTPError, h.http_error_302, 1.47 ++ req, MockFile(), 302, "Security Loophole", 1.48 ++ MockHeaders({"location": invalid_url})) 1.49 ++ 1.50 ++ for scheme in valid_schemes: 1.51 ++ valid_url = scheme + '://' + schemeless_url 1.52 ++ h.http_error_302(req, MockFile(), 302, "That's fine", 1.53 ++ MockHeaders({"location": valid_url})) 1.54 ++ self.assertEqual(o.req.get_full_url(), valid_url) 1.55 ++ 1.56 + def test_cookie_redirect(self): 1.57 + # cookies shouldn't leak into redirected requests 1.58 + from http.cookiejar import CookieJar 1.59 +diff -Naur Python-3.2.ori/Lib/test/test_urllib.py Python-3.2/Lib/test/test_urllib.py 1.60 +--- Python-3.2.ori/Lib/test/test_urllib.py 2010-12-17 09:35:56.000000000 -0800 1.61 ++++ Python-3.2/Lib/test/test_urllib.py 2011-04-15 03:49:02.778745379 -0700 1.62 +@@ -2,6 +2,7 @@ 1.63 + 1.64 + import urllib.parse 1.65 + import urllib.request 1.66 ++import urllib.error 1.67 + import http.client 1.68 + import email.message 1.69 + import io 1.70 +@@ -198,6 +199,21 @@ 1.71 + finally: 1.72 + self.unfakehttp() 1.73 + 1.74 ++ def test_invalid_redirect(self): 1.75 ++ # urlopen() should raise IOError for many error codes. 1.76 ++ self.fakehttp(b'''HTTP/1.1 302 Found 1.77 ++Date: Wed, 02 Jan 2008 03:03:54 GMT 1.78 ++Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e 1.79 ++Location: file://guidocomputer.athome.com:/python/license 1.80 ++Connection: close 1.81 ++Content-Type: text/html; charset=iso-8859-1 1.82 ++''') 1.83 ++ try: 1.84 ++ self.assertRaises(urllib.error.HTTPError, urlopen, 1.85 ++ "http://python.org/") 1.86 ++ finally: 1.87 ++ self.unfakehttp() 1.88 ++ 1.89 + def test_empty_socket(self): 1.90 + # urlopen() raises IOError if the underlying socket does not send any 1.91 + # data. (#1680230) 1.92 +diff -Naur Python-3.2.ori/Lib/urllib/request.py Python-3.2/Lib/urllib/request.py 1.93 +--- Python-3.2.ori/Lib/urllib/request.py 2011-02-11 03:25:47.000000000 -0800 1.94 ++++ Python-3.2/Lib/urllib/request.py 2011-04-15 03:49:02.778745379 -0700 1.95 +@@ -545,6 +545,17 @@ 1.96 + 1.97 + # fix a possible malformed URL 1.98 + urlparts = urlparse(newurl) 1.99 ++ 1.100 ++ # For security reasons we don't allow redirection to anything other 1.101 ++ # than http, https or ftp. 1.102 ++ 1.103 ++ if not urlparts.scheme in ('http', 'https', 'ftp'): 1.104 ++ raise HTTPError(newurl, code, 1.105 ++ msg + 1.106 ++ " - Redirection to url '%s' is not allowed" % 1.107 ++ newurl, 1.108 ++ headers, fp) 1.109 ++ 1.110 + if not urlparts.path: 1.111 + urlparts = list(urlparts) 1.112 + urlparts[2] = "/" 1.113 +@@ -1897,8 +1908,24 @@ 1.114 + return 1.115 + void = fp.read() 1.116 + fp.close() 1.117 ++ 1.118 + # In case the server sent a relative URL, join with original: 1.119 + newurl = urljoin(self.type + ":" + url, newurl) 1.120 ++ 1.121 ++ urlparts = urlparse(newurl) 1.122 ++ 1.123 ++ # For security reasons, we don't allow redirection to anything other 1.124 ++ # than http, https and ftp. 1.125 ++ 1.126 ++ # We are using newer HTTPError with older redirect_internal method 1.127 ++ # This older method will get deprecated in 3.3 1.128 ++ 1.129 ++ if not urlparts.scheme in ('http', 'https', 'ftp'): 1.130 ++ raise HTTPError(newurl, errcode, 1.131 ++ errmsg + 1.132 ++ " Redirection to url '%s' is not allowed." % newurl, 1.133 ++ headers, fp) 1.134 ++ 1.135 + return self.open(newurl) 1.136 + 1.137 + def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):