wok rev 9612
Forgot patch for python.
author | Christopher Rogers <slaxemulator@gmail.com> |
---|---|
date | Sun Apr 17 09:38:03 2011 +0000 (2011-04-17) |
parents | 9e8cd7598a81 |
children | 6722845f3d20 |
files | python/stuff/CVE-2011-1521.patch |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/python/stuff/CVE-2011-1521.patch Sun Apr 17 09:38:03 2011 +0000 1.3 @@ -0,0 +1,98 @@ 1.4 +diff -Naur Python-2.7.1.ori/Lib/test/test_urllib2.py Python-2.7.1/Lib/test/test_urllib2.py 1.5 +--- Python-2.7.1.ori/Lib/test/test_urllib2.py 2010-11-21 21:04:33.000000000 -0800 1.6 ++++ Python-2.7.1/Lib/test/test_urllib2.py 2011-04-15 05:02:13.278853672 -0700 1.7 +@@ -969,6 +969,27 @@ 1.8 + self.assertEqual(count, 1.9 + urllib2.HTTPRedirectHandler.max_redirections) 1.10 + 1.11 ++ def test_invalid_redirect(self): 1.12 ++ from_url = "http://example.com/a.html" 1.13 ++ valid_schemes = ['http', 'https', 'ftp'] 1.14 ++ invalid_schemes = ['file', 'imap', 'ldap'] 1.15 ++ schemeless_url = "example.com/b.html" 1.16 ++ h = urllib2.HTTPRedirectHandler() 1.17 ++ o = h.parent = MockOpener() 1.18 ++ req = Request(from_url) 1.19 ++ 1.20 ++ for scheme in invalid_schemes: 1.21 ++ invalid_url = scheme + '://' + schemeless_url 1.22 ++ self.assertRaises(urllib2.HTTPError, h.http_error_302, 1.23 ++ req, MockFile(), 302, "Security Loophole", 1.24 ++ MockHeaders({"location": invalid_url})) 1.25 ++ 1.26 ++ for scheme in valid_schemes: 1.27 ++ valid_url = scheme + '://' + schemeless_url 1.28 ++ h.http_error_302(req, MockFile(), 302, "That's fine", 1.29 ++ MockHeaders({"location": valid_url})) 1.30 ++ self.assertEqual(o.req.get_full_url(), valid_url) 1.31 ++ 1.32 + def test_cookie_redirect(self): 1.33 + # cookies shouldn't leak into redirected requests 1.34 + from cookielib import CookieJar 1.35 +diff -Naur Python-2.7.1.ori/Lib/test/test_urllib.py Python-2.7.1/Lib/test/test_urllib.py 1.36 +--- Python-2.7.1.ori/Lib/test/test_urllib.py 2010-11-21 05:34:58.000000000 -0800 1.37 ++++ Python-2.7.1/Lib/test/test_urllib.py 2011-04-15 05:02:13.278853672 -0700 1.38 +@@ -161,6 +161,20 @@ 1.39 + finally: 1.40 + self.unfakehttp() 1.41 + 1.42 ++ def test_invalid_redirect(self): 1.43 ++ # urlopen() should raise IOError for many error codes. 1.44 ++ self.fakehttp("""HTTP/1.1 302 Found 1.45 ++Date: Wed, 02 Jan 2008 03:03:54 GMT 1.46 ++Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e 1.47 ++Location: file:README 1.48 ++Connection: close 1.49 ++Content-Type: text/html; charset=iso-8859-1 1.50 ++""") 1.51 ++ try: 1.52 ++ self.assertRaises(IOError, urllib.urlopen, "http://python.org/") 1.53 ++ finally: 1.54 ++ self.unfakehttp() 1.55 ++ 1.56 + def test_empty_socket(self): 1.57 + # urlopen() raises IOError if the underlying socket does not send any 1.58 + # data. (#1680230) 1.59 +diff -Naur Python-2.7.1.ori/Lib/urllib2.py Python-2.7.1/Lib/urllib2.py 1.60 +--- Python-2.7.1.ori/Lib/urllib2.py 2010-11-20 03:24:08.000000000 -0800 1.61 ++++ Python-2.7.1/Lib/urllib2.py 2011-04-15 05:02:13.278853672 -0700 1.62 +@@ -579,6 +579,17 @@ 1.63 + 1.64 + newurl = urlparse.urljoin(req.get_full_url(), newurl) 1.65 + 1.66 ++ # For security reasons we do not allow redirects to protocols 1.67 ++ # other than HTTP, HTTPS or FTP. 1.68 ++ newurl_lower = newurl.lower() 1.69 ++ if not (newurl_lower.startswith('http://') or 1.70 ++ newurl_lower.startswith('https://') or 1.71 ++ newurl_lower.startswith('ftp://')): 1.72 ++ raise HTTPError(newurl, code, 1.73 ++ msg + " - Redirection to url '%s' is not allowed" % 1.74 ++ newurl, 1.75 ++ headers, fp) 1.76 ++ 1.77 + # XXX Probably want to forget about the state of the current 1.78 + # request, although that might interact poorly with other 1.79 + # handlers that also use handler-specific request attributes 1.80 +diff -Naur Python-2.7.1.ori/Lib/urllib.py Python-2.7.1/Lib/urllib.py 1.81 +--- Python-2.7.1.ori/Lib/urllib.py 2010-11-21 21:04:33.000000000 -0800 1.82 ++++ Python-2.7.1/Lib/urllib.py 2011-04-15 05:02:13.278853672 -0700 1.83 +@@ -644,6 +644,18 @@ 1.84 + fp.close() 1.85 + # In case the server sent a relative URL, join with original: 1.86 + newurl = basejoin(self.type + ":" + url, newurl) 1.87 ++ 1.88 ++ # For security reasons we do not allow redirects to protocols 1.89 ++ # other than HTTP, HTTPS or FTP. 1.90 ++ newurl_lower = newurl.lower() 1.91 ++ if not (newurl_lower.startswith('http://') or 1.92 ++ newurl_lower.startswith('https://') or 1.93 ++ newurl_lower.startswith('ftp://')): 1.94 ++ raise IOError('redirect error', errcode, 1.95 ++ errmsg + " - Redirection to url '%s' is not allowed" % 1.96 ++ newurl, 1.97 ++ headers) 1.98 ++ 1.99 + return self.open(newurl) 1.100 + 1.101 + def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):