Petr Viktorin [Thu, 16 Jul 2020 19:48:01 +0000 (21:48 +0200)]
[3.5] bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (#21489)
Avoid infinite loop when reading specially crafted TAR files using the tarfile module
(CVE-2019-20907).
(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4)
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.
AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.
Victor Stinner [Fri, 3 Apr 2020 01:37:32 +0000 (03:37 +0200)]
bpo-38804: Fix REDoS in http.cookiejar (GH-17157) (#17344)
The regex http.cookiejar.LOOSE_HTTP_DATE_RE was vulnerable to regular
expression denial of service (REDoS).
LOOSE_HTTP_DATE_RE.match is called when using http.cookiejar.CookieJar
to parse Set-Cookie headers returned by a server.
Processing a response from a malicious HTTP server can lead to extreme
CPU usage and execution will be blocked for a long time.
The regex contained multiple overlapping \s* capture groups.
Ignoring the ?-optional capture groups the regex could be simplified to
\d+-\w+-\d+(\s*\s*\s*)$
Therefore, a long sequence of spaces can trigger bad performance.
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
self.log_request(204)
self.send_response_only(204) # Don't bother sending Server and Date
n_spaces = (
int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences
if len(self.path) > 1 else
65506 # Max header line length 65536
)
value = make_set_cookie_value(n_spaces)
for i in range(99): # Not necessary, but we can have up to 100 header lines
self.send_header("Set-Cookie", value)
self.end_headers()
if __name__ == "__main__":
HTTPServer(("", 44020), Handler).serve_forever()
This server returns 99 Set-Cookie headers. Each has 65506 spaces.
Extracting the cookies will pretty much never complete.
Vulnerable client using the example at the bottom of
https://docs.python.org/3/library/http.cookiejar.html :
import http.cookiejar, urllib.request
cj = http.cookiejar.CookieJar()
opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
r = opener.open("http://localhost:44020/")
The popular requests library was also vulnerable without any additional
options (as it uses http.cookiejar by default):
[3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) (#15446)
* [3.5] bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794)
Some crafted email header would cause the get_parameter method to run in an
infinite loop causing a DoS attack surface when parsing those headers. This
patch fixes that by making sure the DQUOTE character is handled to prevent
going into an infinite loop.
(cherry picked from commit a4a994bd3e619cbaff97610a1cee8ffa87c672f5)
Victor Stinner [Sat, 7 Sep 2019 06:06:27 +0000 (08:06 +0200)]
bpo-36576: Skip test_ssl and test_asyncio tests failing with OpenSSL 1.1.1 (#12694)
Some test_ssl and test_asyncio tests were written for OpenSSL 1.0 and TLS 1.0, but fail with OpenSSL 1.1.1 and TLS 1.3. Fixing these requires backporting new ssl flags like ssl.OP_NO_TLSv1_3 or ssl.OP_NO_COMPRESSION, which is inappropriate at this stage in Python 3.5's lifetime. Moreover, it's not really worth it: the code works fine, the problem is just in the tests. This patch disables those problematic tests when Python 3.5 is built using newer versions of OpenSSL.
bpo-30458: Disallow control chars in http URLs. (GH-12755) (#13207)
Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.
Disable https related urllib tests on a build without ssl (GH-13032)
These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures.
Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044)
CVE-2019-9948: Avoid file reading by disallowing local-file:// and
local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.
Xtreak [Sun, 17 Mar 2019 00:03:39 +0000 (05:33 +0530)]
[3.5] bpo-35121: prefix dot in domain for proper subdomain validation (GH-10258) (#12281)
Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan.
(cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14)
Cheryl Sabella [Mon, 4 Mar 2019 00:00:49 +0000 (19:00 -0500)]
[3.5] bpo-33329: Fix multiprocessing regression on newer glibcs (GH-6575) (#12144)
Starting with glibc 2.27.9000-xxx, sigaddset() can return EINVAL for some
reserved signal numbers between 1 and NSIG. The `range(1, NSIG)` idiom
is commonly used to select all signals for blocking with `pthread_sigmask`.
So we ignore the sigaddset() return value until we expose sigfillset()
to provide a better idiom.
(cherry picked from commit 25038ec)
Victor Stinner [Tue, 26 Feb 2019 00:17:02 +0000 (01:17 +0100)]
bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (#11867)
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.
Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas
Edet of Cisco.
bpo-33216: Clarify the documentation for CALL_FUNCTION_* (#8338)
Clarify the documentation for the CALL_FUNCTION_* bytecodes. They changed in 3.5 in subtle ways and the documentation has never been correct, much less clear.
The regex to test a mail server's timestamp is susceptible to
catastrophic backtracking on long evil responses from the server.
Happily, the maximum length of malicious inputs is 2K thanks
to a limit introduced in the fix for CVE-2013-1752.
A 2KB evil response from the mail server would result in small slowdowns
(milliseconds vs. microseconds) accumulated over many apop calls.
This is a potential DOS vector via accumulated slowdowns.
Replace it with a similar non-vulnerable regex.
The new regex is RFC compliant.
The old regex was non-compliant in edge cases.
* Prevent difflib REDOS (CVE-2018-1061)
The default regex for IS_LINE_JUNK is susceptible to
catastrophic backtracking.
This is a potential DOS vector.
Replace it with an equivalent non-vulnerable regex.
Also introduce unit and REDOS tests for difflib.
Co-authored-by: Tim Peters <tim.peters@gmail.com> Co-authored-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 0e6c8ee2358a2e23117501826c008842acb835ac)
Serhiy Storchaka [Tue, 23 Jan 2018 11:21:21 +0000 (13:21 +0200)]
[3.5] bpo-32072: Fix issues with binary plists. (GH-4455) (#4656)
* [3.5] bpo-32072: Fix issues with binary plists. (GH-4455)
* Fixed saving bytearrays.
* Identical objects will be saved only once.
* Equal references will be load as identical objects.
* Added support for saving and loading recursive data structures.
(cherry picked from commit a897aee)
* Fix implementation dependent assertion in test_plistlib. (#4813)
Directory and zipfile execution previously added
the parent directory of the directory or zipfile
as sys.path[0] and then subsequently overwrote
it with the directory or zipfile itself.
This caused problems in isolated mode, as it
overwrote the "stdlib as a zip archive" entry
in sys.path, as the parent directory was
never added.
The attempted fix to that issue in bpo-29319
created the opposite problem in *non*-isolated
mode, by potentially leaving the parent
directory on sys.path instead of overwriting it.
This change fixes the root cause of the problem
by removing the whole "add-and-overwrite" dance
for sys.path[0], and instead simply never adds
the parent directory to sys.path in the first
place.
Victor Stinner [Mon, 25 Sep 2017 00:58:32 +0000 (17:58 -0700)]
[3.5][Security] bpo-30947, bpo-31170: Update expat from 2.2.1 to 2.2.4 (#3354)
* bpo-30947, bpo-31170: Update expat from 2.2.1 to 2.2.4
* Upgrade libexpat embedded copy from version 2.2.1 to 2.2.3 to get security
fixes.
* Update libexpat from 2.2.3 to 2.2.4. Fix copying of partial
characters for UTF-8 input (libexpat bug 115):
https://github.com/libexpat/libexpat/issues/115
The `Show Source` was broken because of a change made in sphinx 1.5.1
In Sphinx 1.4.9, the sourcename was "index.txt".
In Sphinx 1.5.1+, it is now "index.rst.txt".
(cherry picked from commit b9ff498793611d1c6a9b99df464812931a1e2d69)
Ned Deily [Fri, 8 Sep 2017 17:42:19 +0000 (10:42 -0700)]
[3.5] bpo-31036: Allow sphinx and blurb to be found automatically (GH-3440)
Rather than requiring the path to blurb and/or sphinx-build to be specified to
the make rule, enhance the Doc/Makefile to look for each first in a virtual
environment created by make venv and, if not found, look on the normal process
PATH. This allows the Doc/Makefile to take advantage of an installed
spinx-build or blurb and, thus, do the right thing most of the time. Also, make
the directory for the venv be configurable and document the `make venv` target.
projects / thirdparty / Python / cpython.git / log
