packages/python3
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport some security-related upstream patches

Browse Source
This commit is contained in:
wangshuo 2024-10-29 21:02:21 +08:00
parent 5f32441d05
commit 25d18d0e7d
3 changed files with 168 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
backport-3.7-gh-104049-do-not-expose-on-disk-location-from-Si.patch Normal file
View File

@ -0,0 +1,64 @@
From 4e2dd0c3626649224b87b757a292959d94152a00 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Fri, 26 May 2023 23:41:46 -0700
Subject: [PATCH] [3.7] gh-104049: do not expose on-disk location from
SimpleHTTPRequestHandler (GH-104122)
Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)
(cherry picked from commit c7c3a60c88de61a79ded9fdaf6bc6a29da4efb9a)
Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
---
Lib/http/server.py | 2 +-
Lib/test/test_httpservers.py | 8 ++++++++
.../2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst | 2 ++
3 files changed, 11 insertions(+), 1 deletion(-)
create mode 100644 Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst
diff --git a/Lib/http/server.py b/Lib/http/server.py
index ba2acbc98bf..beabe3de7ab 100644
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -777,7 +777,7 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
displaypath = urllib.parse.unquote(self.path,
errors='surrogatepass')
except UnicodeDecodeError:
- displaypath = urllib.parse.unquote(path)
+ displaypath = urllib.parse.unquote(self.path)
displaypath = html.escape(displaypath, quote=False)
enc = sys.getfilesystemencoding()
title = 'Directory listing for %s' % displaypath
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
index b3e15c475a4..8c9be689003 100644
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -413,6 +413,14 @@ class SimpleHTTPServerTestCase(BaseTestCase):
self.check_status_and_reason(response, HTTPStatus.OK,
data=support.TESTFN_UNDECODABLE)
+ def test_undecodable_parameter(self):
+ # sanity check using a valid parameter
+ response = self.request(self.base_url + '/?x=123').read()
+ self.assertRegex(response, f'listing for {self.base_url}/\?x=123'.encode('latin1'))
+ # now the bogus encoding
+ response = self.request(self.base_url + '/?x=%bb').read()
+ self.assertRegex(response, f'listing for {self.base_url}/\?x=\xef\xbf\xbd'.encode('latin1'))
+
def test_get_dir_redirect_location_domain_injection_bug(self):
"""Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.
diff --git a/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst b/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst
new file mode 100644
index 00000000000..969deb26bfe
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst
@@ -0,0 +1,2 @@
+Do not expose the local on-disk location in directory indexes
+produced by :class:`http.client.SimpleHTTPRequestHandler`.
--
2.25.1

89
backport-3.7-gh-99889-Fix-directory-traversal-security-flaw-i.patch Normal file
View File

@ -0,0 +1,89 @@
From 1ce801b81ce63867ce382f6e9f56873a844c2bc6 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Sat, 27 May 2023 00:04:28 -0700
Subject: [PATCH] [3.7] gh-99889: Fix directory traversal security flaw in
uu.decode() (GH-104333)
(cherry picked from commit 0aeda297931820436a50b78f4f7f0597274b5df4)
Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
---
Lib/test/test_uu.py | 28 +++++++++++++++++++
Lib/uu.py | 9 +++++-
...3-05-02-17-56-32.gh-issue-99889.l664SU.rst | 2 ++
3 files changed, 38 insertions(+), 1 deletion(-)
mode change 100755 => 100644 Lib/uu.py
create mode 100644 Misc/NEWS.d/next/Security/2023-05-02-17-56-32.gh-issue-99889.l664SU.rst
diff --git a/Lib/test/test_uu.py b/Lib/test/test_uu.py
index c8709f7a0d6..e5d93d6cd1c 100644
--- a/Lib/test/test_uu.py
+++ b/Lib/test/test_uu.py
@@ -145,6 +145,34 @@ class UUTest(unittest.TestCase):
uu.encode(inp, out, filename)
self.assertIn(safefilename, out.getvalue())
+ def test_no_directory_traversal(self):
+ relative_bad = b"""\
+begin 644 ../../../../../../../../tmp/test1
+$86)C"@``
+`
+end
+"""
+ with self.assertRaisesRegex(uu.Error, 'directory'):
+ uu.decode(io.BytesIO(relative_bad))
+ if os.altsep:
+ relative_bad_bs = relative_bad.replace(b'/', b'\\')
+ with self.assertRaisesRegex(uu.Error, 'directory'):
+ uu.decode(io.BytesIO(relative_bad_bs))
+
+ absolute_bad = b"""\
+begin 644 /tmp/test2
+$86)C"@``
+`
+end
+"""
+ with self.assertRaisesRegex(uu.Error, 'directory'):
+ uu.decode(io.BytesIO(absolute_bad))
+ if os.altsep:
+ absolute_bad_bs = absolute_bad.replace(b'/', b'\\')
+ with self.assertRaisesRegex(uu.Error, 'directory'):
+ uu.decode(io.BytesIO(absolute_bad_bs))
+
+
class UUStdIOTest(unittest.TestCase):
def setUp(self):
diff --git a/Lib/uu.py b/Lib/uu.py
old mode 100755
new mode 100644
index 9f1f37f1a64..9fe252a639e
--- a/Lib/uu.py
+++ b/Lib/uu.py
@@ -130,7 +130,14 @@ def decode(in_file, out_file=None, mode=None, quiet=False):
# If the filename isn't ASCII, what's up with that?!?
out_file = hdrfields[2].rstrip(b' \t\r\n\f').decode("ascii")
if os.path.exists(out_file):
- raise Error('Cannot overwrite existing file: %s' % out_file)
+ raise Error(f'Cannot overwrite existing file: {out_file}')
+ if (out_file.startswith(os.sep) or
+ f'..{os.sep}' in out_file or (
+ os.altsep and
+ (out_file.startswith(os.altsep) or
+ f'..{os.altsep}' in out_file))
+ ):
+ raise Error(f'Refusing to write to {out_file} due to directory traversal')
if mode is None:
mode = int(hdrfields[1], 8)
#
diff --git a/Misc/NEWS.d/next/Security/2023-05-02-17-56-32.gh-issue-99889.l664SU.rst b/Misc/NEWS.d/next/Security/2023-05-02-17-56-32.gh-issue-99889.l664SU.rst
new file mode 100644
index 00000000000..b7002e81b6b
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2023-05-02-17-56-32.gh-issue-99889.l664SU.rst
@@ -0,0 +1,2 @@
+Fixed a security in flaw in :func:`uu.decode` that could allow for
+directory traversal based on the input if no ``out_file`` was specified.
--
2.25.1

16
python3.spec
View File

@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
URL: https://www.python.org/
Version: 3.7.9
Release: 40
Release: 41
License: Python-2.0
%global branchversion 3.7
@ -189,6 +189,9 @@ Patch9008: backport-3.7-gh-107845-Fix-symlink-handling-for-tarfile.data_.patch
# fix test error
Patch9009: backport-3.7-gh-115133-Fix-test_xml_etree-error-with-expat-ve.patch
Patch9010: backport-3.7-gh-104049-do-not-expose-on-disk-location-from-Si.patch
Patch9011: backport-3.7-gh-99889-Fix-directory-traversal-security-flaw-i.patch
Provides: python%{branchversion} = %{version}-%{release}
Provides: python(abi) = %{branchversion}
@ -358,6 +361,9 @@ rm Lib/ensurepip/_bundled/*.whl
%patch9008 -p1
%patch9009 -p1
%patch9010 -p1
%patch9011 -p1
sed -i "s/generic_os/%{_vendor}/g" Lib/platform.py
rm configure pyconfig.h.in
@ -962,6 +968,14 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
%{_mandir}/*/*
%changelog
* Tue Oct 29 2024 wangshuo <wangshuo@kylinos.cn> - 3.7.9-41
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:backport upstream patches
- gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler
- gh-99889: Fix directory traversal security flaw in uu.decode()
* Fri Oct 25 2024 wangshuo <wangshuo@kylinos.cn> - 3.7.9-40
- Type:CVE
- CVE:CVE-2007-4559