From: Senthil Kumaran Date: Sun, 31 Jul 2016 06:34:34 +0000 (-0700) Subject: [merge from 3.3] Prevent HTTPoxy attack (CVE-2016-1000110) X-Git-Tag: v3.4.6rc1~36 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=436fe5a447abb69e5e5a4f453325c422af02dcaa;p=thirdparty%2FPython%2Fcpython.git [merge from 3.3] Prevent HTTPoxy attack (CVE-2016-1000110) Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode. Issue #27568 Reported and patch contributed by Rémi Rampin. --- 436fe5a447abb69e5e5a4f453325c422af02dcaa diff --cc Lib/test/test_urllib.py index e100039649e3,3b87fa315afe..87171e9b7b17 --- a/Lib/test/test_urllib.py +++ b/Lib/test/test_urllib.py @@@ -222,7 -194,20 +222,20 @@@ class ProxyTests(unittest.TestCase) self.env.set('NO_PROXY', 'localhost, anotherdomain.com, newdomain.com') self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com')) + def test_proxy_cgi_ignore(self): + try: + self.env.set('HTTP_PROXY', 'http://somewhere:3128') + proxies = urllib.request.getproxies_environment() + self.assertEqual('http://somewhere:3128', proxies['http']) + self.env.set('REQUEST_METHOD', 'GET') + proxies = urllib.request.getproxies_environment() + self.assertNotIn('http', proxies) + finally: + self.env.unset('REQUEST_METHOD') + self.env.unset('HTTP_PROXY') + + -class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin): +class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin, FakeFTPMixin): """Test urlopen() opening a fake http connection.""" def check_read(self, ver): diff --cc Misc/NEWS index 2d4b4da91060,e9a8f28f2ca0..362b6baf35b3 --- a/Misc/NEWS +++ b/Misc/NEWS @@@ -10,64 -10,56 +10,68 @@@ Release date: TB Core and Builtins ----------------- -- Issue #25709: Fixed problem with in-place string concatenation and utf-8 cache. +Library +------- -- Issue #24407: Fix crash when dict is mutated while being updated. ++- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the ++ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates ++ that the script is in CGI mode. + -- Issue #24097: Fixed crash in object.__reduce__() if slot name is freed inside - __getattr__. +Tests +----- -- Issue #24096: Make warnings.warn_explicit more robust against mutation of the - warnings.filters list. +- Issue #27369: In test_pyexpat, avoid testing an error message detail that + changed in Expat 2.2.0. -- Issue #24044: Fix possible null pointer dereference in list.sort in out of - memory conditions. -- Issue #23055: Fixed a buffer overflow in PyUnicode_FromFormatV. Analysis - and fix by Guido Vranken. +What's New in Python 3.4.5? +=========================== -Library -------- +Release date: 2016-06-26 -- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the - HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates - that the script is in CGI mode. +Tests +----- -- Issue #24521: Fix possible integer overflows in the pickle module. +- Issue #26867: Ubuntu's openssl OP_NO_SSLv3 is forced on by default; fix test. -- Issue #22931: Allow '[' and ']' in cookie values. -- Issue #24094: Fix possible crash in json.encode with poorly behaved dict - subclasses. +What's New in Python 3.4.5rc1? +============================== -- Issue #23367: Fix possible overflows in the unicodedata module. +Release date: 2016-06-11 -- Issue #23361: Fix possible overflow in Windows subprocess creation code. +Core and Builtins +----------------- -- Issue #23363: Fix possible overflow in itertools.permutations. +- Issue #26478: Fix semantic bugs when using binary operators with dictionary + views and tuples. -- Issue #23364: Fix possible overflow in itertools.product. +- Issue #26171: Fix possible integer overflow and heap corruption in + zipimporter.get_data(). -- Issue #23369: Fixed possible integer overflow in - _json.encode_basestring_ascii. +Library +------- -- Issue #23366: Fixed possible integer overflow in itertools.combinations. +- Issue #26556: Update expat to 2.1.1, fixes CVE-2015-1283. -- Issue #23365: Fixed possible integer overflow in - itertools.combinations_with_replacement. +- Fix TLS stripping vulnerability in smptlib, CVE-2016-0772. Reported by Team + Oststrom -C API ------ +- Issue #25939: On Windows open the cert store readonly in ssl.enum_certificates. -- Issue #23998: PyImport_ReInitLock() now checks for lock allocation error +- Issue #26012: Don't traverse into symlinks for ** pattern in + pathlib.Path.[r]glob(). + +- Issue #24120: Ignore PermissionError when traversing a tree with + pathlib.Path.[r]glob(). Patch by Ulrich Petri. + +- Skip getaddrinfo if host is already resolved. + Patch by A. Jesse Jiryu Davis. + +- Add asyncio.timeout() context manager. + +- Issue #26050: Add asyncio.StreamReader.readuntil() method. + Patch by Марк Коренберг. Tests -----