From 43e7ec07065e58128819b0bb359358ce42628672 Mon Sep 17 00:00:00 2001 From: Nitin A Kamble Date: Tue, 19 Jul 2011 15:42:48 -0700 Subject: python: fix security vulnerability This Fixes bug: [Yocto #1254] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1015 Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are now collapsed within the url properly before looking in cgi_directories. Signed-off-by: Nitin A Kamble --- meta/recipes-devtools/python/python.inc | 2 +- .../python/python/security_issue_2254_fix.patch | 184 +++++++++++++++++++++ meta/recipes-devtools/python/python_2.6.6.bb | 1 + 3 files changed, 186 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/python/python/security_issue_2254_fix.patch (limited to 'meta/recipes-devtools') diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc index 25a458ef1..a6cc91789 100644 --- a/meta/recipes-devtools/python/python.inc +++ b/meta/recipes-devtools/python/python.inc @@ -3,7 +3,7 @@ HOMEPAGE = "http://www.python.org" LICENSE = "PSF" SECTION = "devel/python" # bump this on every change in contrib/python/generate-manifest-2.6.py -INC_PR = "nk2" +INC_PR = "r2" DEFAULT_PREFERENCE = "-26" diff --git a/meta/recipes-devtools/python/python/security_issue_2254_fix.patch b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch new file mode 100644 index 000000000..f0328585d --- /dev/null +++ b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch @@ -0,0 +1,184 @@ +Upstream-Status: Backport +http://svn.python.org/view?view=revision&revision=71303 + +Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are + now collapsed within the url properly before looking in cgi_directories. +Signed-Off-By: Nitin A Kamble +2011/07/19 + +Index: Python-2.6.6/Lib/CGIHTTPServer.py +=================================================================== +--- Python-2.6.6.orig/Lib/CGIHTTPServer.py ++++ Python-2.6.6/Lib/CGIHTTPServer.py +@@ -70,27 +70,20 @@ class CGIHTTPRequestHandler(SimpleHTTPSe + return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self) + + def is_cgi(self): +- """Test whether self.path corresponds to a CGI script, +- and return a boolean. ++ """Test whether self.path corresponds to a CGI script. + +- This function sets self.cgi_info to a tuple (dir, rest) +- when it returns True, where dir is the directory part before +- the CGI script name. Note that rest begins with a +- slash if it is not empty. +- +- The default implementation tests whether the path +- begins with one of the strings in the list +- self.cgi_directories (and the next character is a '/' +- or the end of the string). ++ Returns True and updates the cgi_info attribute to the tuple ++ (dir, rest) if self.path requires running a CGI script. ++ Returns False otherwise. ++ ++ The default implementation tests whether the normalized url ++ path begins with one of the strings in self.cgi_directories ++ (and the next character is a '/' or the end of the string). + """ +- +- path = self.path +- +- for x in self.cgi_directories: +- i = len(x) +- if path[:i] == x and (not path[i:] or path[i] == '/'): +- self.cgi_info = path[:i], path[i+1:] +- return True ++ splitpath = _url_collapse_path_split(self.path) ++ if splitpath[0] in self.cgi_directories: ++ self.cgi_info = splitpath ++ return True + return False + + cgi_directories = ['/cgi-bin', '/htbin'] +@@ -299,6 +292,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe + self.log_message("CGI script exited OK") + + ++# TODO(gregory.p.smith): Move this into an appropriate library. ++def _url_collapse_path_split(path): ++ """ ++ Given a URL path, remove extra '/'s and '.' path elements and collapse ++ any '..' references. ++ ++ Implements something akin to RFC-2396 5.2 step 6 to parse relative paths. ++ ++ Returns: A tuple of (head, tail) where tail is everything after the final / ++ and head is everything before it. Head will always start with a '/' and, ++ if it contains anything else, never have a trailing '/'. ++ ++ Raises: IndexError if too many '..' occur within the path. ++ """ ++ # Similar to os.path.split(os.path.normpath(path)) but specific to URL ++ # path semantics rather than local operating system semantics. ++ path_parts = [] ++ for part in path.split('/'): ++ if part == '.': ++ path_parts.append('') ++ else: ++ path_parts.append(part) ++ # Filter out blank non trailing parts before consuming the '..'. ++ path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:] ++ if path_parts: ++ tail_part = path_parts.pop() ++ else: ++ tail_part = '' ++ head_parts = [] ++ for part in path_parts: ++ if part == '..': ++ head_parts.pop() ++ else: ++ head_parts.append(part) ++ if tail_part and tail_part == '..': ++ head_parts.pop() ++ tail_part = '' ++ return ('/' + '/'.join(head_parts), tail_part) ++ ++ + nobody = None + + def nobody_uid(): +Index: Python-2.6.6/Lib/test/test_httpservers.py +=================================================================== +--- Python-2.6.6.orig/Lib/test/test_httpservers.py ++++ Python-2.6.6/Lib/test/test_httpservers.py +@@ -7,6 +7,7 @@ Josip Dzolonga, and Michael Otteneder fo + from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer + from SimpleHTTPServer import SimpleHTTPRequestHandler + from CGIHTTPServer import CGIHTTPRequestHandler ++import CGIHTTPServer + + import os + import sys +@@ -324,6 +325,45 @@ class CGIHTTPServerTestCase(BaseTestCase + finally: + BaseTestCase.tearDown(self) + ++ def test_url_collapse_path_split(self): ++ test_vectors = { ++ '': ('/', ''), ++ '..': IndexError, ++ '/.//..': IndexError, ++ '/': ('/', ''), ++ '//': ('/', ''), ++ '/\\': ('/', '\\'), ++ '/.//': ('/', ''), ++ 'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'), ++ '/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'), ++ 'a': ('/', 'a'), ++ '/a': ('/', 'a'), ++ '//a': ('/', 'a'), ++ './a': ('/', 'a'), ++ './C:/': ('/C:', ''), ++ '/a/b': ('/a', 'b'), ++ '/a/b/': ('/a/b', ''), ++ '/a/b/c/..': ('/a/b', ''), ++ '/a/b/c/../d': ('/a/b', 'd'), ++ '/a/b/c/../d/e/../f': ('/a/b/d', 'f'), ++ '/a/b/c/../d/e/../../f': ('/a/b', 'f'), ++ '/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'), ++ '../a/b/c/../d/e/.././././..//f': IndexError, ++ '/a/b/c/../d/e/../../../f': ('/a', 'f'), ++ '/a/b/c/../d/e/../../../../f': ('/', 'f'), ++ '/a/b/c/../d/e/../../../../../f': IndexError, ++ '/a/b/c/../d/e/../../../../f/..': ('/', ''), ++ } ++ for path, expected in test_vectors.iteritems(): ++ if isinstance(expected, type) and issubclass(expected, Exception): ++ self.assertRaises(expected, ++ CGIHTTPServer._url_collapse_path_split, path) ++ else: ++ actual = CGIHTTPServer._url_collapse_path_split(path) ++ self.assertEquals(expected, actual, ++ msg='path = %r\nGot: %r\nWanted: %r' % ( ++ path, actual, expected)) ++ + def test_headers_and_content(self): + res = self.request('/cgi-bin/file1.py') + self.assertEquals(('Hello World\n', 'text/html', 200), \ +@@ -348,6 +388,12 @@ class CGIHTTPServerTestCase(BaseTestCase + self.assertEquals(('Hello World\n', 'text/html', 200), \ + (res.read(), res.getheader('Content-type'), res.status)) + ++ def test_no_leading_slash(self): ++ # http://bugs.python.org/issue2254 ++ res = self.request('cgi-bin/file1.py') ++ self.assertEquals(('Hello World\n', 'text/html', 200), ++ (res.read(), res.getheader('Content-type'), res.status)) ++ + + def test_main(verbose=None): + cwd = os.getcwd() +Index: Python-2.6.6/Misc/NEWS +=================================================================== +--- Python-2.6.6.orig/Misc/NEWS ++++ Python-2.6.6/Misc/NEWS +@@ -137,6 +137,9 @@ C-API + Library + ------- + ++- Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are ++ now collapsed within the url properly before looking in cgi_directories. ++ + - Issue #8447: Make distutils.sysconfig follow symlinks in the path to + the interpreter executable. This fixes a failure of test_httpservers + on OS X. diff --git a/meta/recipes-devtools/python/python_2.6.6.bb b/meta/recipes-devtools/python/python_2.6.6.bb index 598fea814..f71440a59 100644 --- a/meta/recipes-devtools/python/python_2.6.6.bb +++ b/meta/recipes-devtools/python/python_2.6.6.bb @@ -19,6 +19,7 @@ SRC_URI = "\ file://99-ignore-optimization-flag.patch \ ${DISTRO_SRC_URI} \ file://multilib.patch \ + file://security_issue_2254_fix.patch \ " SRC_URI[md5sum] = "cf4e6881bb84a7ce6089e4a307f71f14" -- cgit v1.2.3