mirror of
https://git.yoctoproject.org/git/poky
synced 2026-01-01 13:58:04 +00:00
56a27c9aad
(From OE-Core rev: 744eb37c8abf4c30a0c462580541bf195a987a56) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
130 lines
5.0 KiB
Diff
130 lines
5.0 KiB
Diff
From 5e0700418dc27b645edbe33c744daff93cd66618 Mon Sep 17 00:00:00 2001
|
|
From: Senthil Kumaran <senthil@uthcode.com>
|
|
Date: Sat, 30 Jul 2016 23:24:16 -0700
|
|
Subject: [PATCH] Prevent HTTPoxy attack (CVE-2016-1000110)
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
|
|
indicates that the script is in CGI mode.
|
|
|
|
Issue #27568 Reported and patch contributed by Rémi Rampin.
|
|
|
|
Upstream-Status: Backport
|
|
CVE: CVE-2016-1000110
|
|
|
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
|
|
---
|
|
Doc/howto/urllib2.rst | 5 +++++
|
|
Doc/library/urllib.request.rst | 13 +++++++++++++
|
|
Lib/test/test_urllib.py | 13 +++++++++++++
|
|
Lib/urllib/request.py | 7 +++++++
|
|
Misc/NEWS | 4 ++++
|
|
5 files changed, 42 insertions(+)
|
|
|
|
Index: Python-3.5.1/Doc/howto/urllib2.rst
|
|
===================================================================
|
|
--- Python-3.5.1.orig/Doc/howto/urllib2.rst
|
|
+++ Python-3.5.1/Doc/howto/urllib2.rst
|
|
@@ -538,6 +538,11 @@ setting up a `Basic Authentication`_ han
|
|
through a proxy. However, this can be enabled by extending urllib.request as
|
|
shown in the recipe [#]_.
|
|
|
|
+.. note::
|
|
+
|
|
+ `HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
|
|
+ the documentation on :func:`~urllib.request.getproxies`.
|
|
+
|
|
|
|
Sockets and Layers
|
|
==================
|
|
Index: Python-3.5.1/Doc/library/urllib.request.rst
|
|
===================================================================
|
|
--- Python-3.5.1.orig/Doc/library/urllib.request.rst
|
|
+++ Python-3.5.1/Doc/library/urllib.request.rst
|
|
@@ -166,6 +166,14 @@ The :mod:`urllib.request` module defines
|
|
cannot find it, looks for proxy information from Mac OSX System
|
|
Configuration for Mac OS X and Windows Systems Registry for Windows.
|
|
|
|
+ .. note::
|
|
+
|
|
+ If the environment variable ``REQUEST_METHOD`` is set, which usually
|
|
+ indicates your script is running in a CGI environment, the environment
|
|
+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
|
|
+ because that variable can be injected by a client using the "Proxy:" HTTP
|
|
+ header. If you need to use an HTTP proxy in a CGI environment use
|
|
+ ``ProxyHandler`` explicitly.
|
|
|
|
The following classes are provided:
|
|
|
|
@@ -275,6 +283,11 @@ The following classes are provided:
|
|
|
|
To disable autodetected proxy pass an empty dictionary.
|
|
|
|
+ .. note::
|
|
+
|
|
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
|
|
+ see the documentation on :func:`~urllib.request.getproxies`.
|
|
+
|
|
|
|
.. class:: HTTPPasswordMgr()
|
|
|
|
Index: Python-3.5.1/Lib/urllib/request.py
|
|
===================================================================
|
|
--- Python-3.5.1.orig/Lib/urllib/request.py
|
|
+++ Python-3.5.1/Lib/urllib/request.py
|
|
@@ -2394,6 +2394,13 @@ def getproxies_environment():
|
|
name = name.lower()
|
|
if value and name[-6:] == '_proxy':
|
|
proxies[name[:-6]] = value
|
|
+
|
|
+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
|
|
+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
|
|
+ # header from the client
|
|
+ if 'REQUEST_METHOD' in os.environ:
|
|
+ proxies.pop('http', None)
|
|
+
|
|
return proxies
|
|
|
|
def proxy_bypass_environment(host):
|
|
Index: Python-3.5.1/Misc/NEWS
|
|
===================================================================
|
|
--- Python-3.5.1.orig/Misc/NEWS
|
|
+++ Python-3.5.1/Misc/NEWS
|
|
@@ -1266,6 +1266,10 @@ Library
|
|
lines from the code object, fixing an issue when a lambda function is used as
|
|
decorator argument. Patch by Thomas Ballinger and Allison Kaptur.
|
|
|
|
+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
|
|
+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
|
|
+ that the script is in CGI mode.
|
|
+
|
|
- Issue #24521: Fix possible integer overflows in the pickle module.
|
|
|
|
- Issue #22931: Allow '[' and ']' in cookie values.
|
|
Index: Python-3.5.1/Lib/test/test_urllib.py
|
|
===================================================================
|
|
--- Python-3.5.1.orig/Lib/test/test_urllib.py
|
|
+++ Python-3.5.1/Lib/test/test_urllib.py
|
|
@@ -224,6 +224,18 @@ class ProxyTests(unittest.TestCase):
|
|
# List of no_proxies with space.
|
|
self.env.set('NO_PROXY', 'localhost, anotherdomain.com, newdomain.com')
|
|
self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com'))
|
|
+ def test_proxy_cgi_ignore(self):
|
|
+ try:
|
|
+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
|
|
+ proxies = urllib.request.getproxies_environment()
|
|
+ self.assertEqual('http://somewhere:3128', proxies['http'])
|
|
+ self.env.set('REQUEST_METHOD', 'GET')
|
|
+ proxies = urllib.request.getproxies_environment()
|
|
+ self.assertNotIn('http', proxies)
|
|
+ finally:
|
|
+ self.env.unset('REQUEST_METHOD')
|
|
+ self.env.unset('HTTP_PROXY')
|
|
+
|
|
|
|
class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin, FakeFTPMixin):
|
|
"""Test urlopen() opening a fake http connection."""
|