Fix for CVE-2016-1000110 HTTPoxy attack

This commit is contained in:
Charalampos Stratakis 2016-08-09 14:27:26 +02:00
parent 4bc70e0cc0
commit 77a5f91947
6 changed files with 138 additions and 35 deletions

View File

@ -0,0 +1,100 @@
# HG changeset patch
# User Senthil Kumaran <senthil@uthcode.com>
# Date 1469947146 25200
# Node ID a0ac52ed8f7918222603b584ec8fc93d9b7bc0a5
# Parent 4cb94e561e2db9865fb4d752f2bceefca4c6819a# Parent 3c19023c9fec5a615c25598468b44fade89049ce
[merge from 3.4] - Prevent HTTPoxy attack (CVE-2016-1000110)
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.
Issue #27568 Reported and patch contributed by Rémi Rampin.
diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
--- a/Doc/howto/urllib2.rst
+++ b/Doc/howto/urllib2.rst
@@ -538,6 +538,11 @@ setting up a `Basic Authentication`_ han
through a proxy. However, this can be enabled by extending urllib.request as
shown in the recipe [#]_.
+.. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
+ the documentation on :func:`~urllib.request.getproxies`.
+
Sockets and Layers
==================
diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
--- a/Doc/library/urllib.request.rst
+++ b/Doc/library/urllib.request.rst
@@ -166,6 +166,16 @@ The :mod:`urllib.request` module defines the following functions:
cannot find it, looks for proxy information from Mac OSX System
Configuration for Mac OS X and Windows Systems Registry for Windows.
+ .. note::
+
+ If the environment variable ``REQUEST_METHOD`` is set, which usually
+ indicates your script is running in a CGI environment, the environment
+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
+ because that variable can be injected by a client using the "Proxy:" HTTP
+ header. If you need to use an HTTP proxy in a CGI environment, either use
+ ``ProxyHandler`` explicitly, or make sure the variable name is in
+ lowercase (or at least the ``_proxy`` suffix).
+
The following classes are provided:
@@ -275,6 +285,12 @@ The following classes are provided:
To disable autodetected proxy pass an empty dictionary.
+ .. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
+ see the documentation on :func:`~urllib.request.getproxies`.
+
+
.. class:: HTTPPasswordMgr()
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -225,6 +225,18 @@ class ProxyTests(unittest.TestCase):
self.env.set('NO_PROXY', 'localhost, anotherdomain.com, newdomain.com')
self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com'))
+ def test_proxy_cgi_ignore(self):
+ try:
+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
+ proxies = urllib.request.getproxies_environment()
+ self.assertEqual('http://somewhere:3128', proxies['http'])
+ self.env.set('REQUEST_METHOD', 'GET')
+ proxies = urllib.request.getproxies_environment()
+ self.assertNotIn('http', proxies)
+ finally:
+ self.env.unset('REQUEST_METHOD')
+ self.env.unset('HTTP_PROXY')
+
class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin, FakeFTPMixin):
"""Test urlopen() opening a fake http connection."""
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -2394,6 +2394,12 @@ def getproxies_environment():
name = name.lower()
if value and name[-6:] == '_proxy':
proxies[name[:-6]] = value
+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
+ # header from the client
+ # If "proxy" is lowercase, it will still be used thanks to the next block
+ if 'REQUEST_METHOD' in os.environ:
+ proxies.pop('http', None)
return proxies
def proxy_bypass_environment(host):

View File

@ -2,7 +2,7 @@
# Conditionals and other variables controlling the build # Conditionals and other variables controlling the build
# ====================================================== # ======================================================
# NOTES ON BOOTSTRAPING PYTHON 3.4: # NOTES ON BOOTSTRAPING PYTHON 3.5:
# #
# Due to dependency cycle between Python, pip, setuptools and # Due to dependency cycle between Python, pip, setuptools and
# wheel caused by the rewheel patch, one has to build in the # wheel caused by the rewheel patch, one has to build in the
@ -112,7 +112,7 @@
Summary: Version 3 of the Python programming language aka Python 3000 Summary: Version 3 of the Python programming language aka Python 3000
Name: python3 Name: python3
Version: %{pybasever}.1 Version: %{pybasever}.1
Release: 14%{?dist} Release: 15%{?dist}
License: Python License: Python
Group: Development/Languages Group: Development/Languages
@ -429,54 +429,52 @@ Patch207: 00207-math-once.patch
Patch208: 00208-disable-test_with_pip-on-ppc.patch Patch208: 00208-disable-test_with_pip-on-ppc.patch
# 00209 # # 00209 #
# Fix test breakage with version 2.2.0 of Expat
# rhbz#1353918: https://bugzilla.redhat.com/show_bug.cgi?id=1353918
# FIXED UPSTREAM: http://bugs.python.org/issue27369
Patch209: 00209-fix-test-pyexpat-failure.patch
# 00237 #
# CVE-2016-0772 python: smtplib StartTLS stripping attack
# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
# rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/d590114c2394
# Raise an error when STARTTLS fails
Patch237: 00237-Raise-an-error-when-STARTTLS-fails.patch
# 00241 #
# CVE-2016-5636: http://seclists.org/oss-sec/2016/q2/560 # CVE-2016-5636: http://seclists.org/oss-sec/2016/q2/560
# rhbz#1345859: https://bugzilla.redhat.com/show_bug.cgi?id=1345859 # rhbz#1345859: https://bugzilla.redhat.com/show_bug.cgi?id=1345859
# https://hg.python.org/cpython/rev/10dad6da1b28/ # https://hg.python.org/cpython/rev/10dad6da1b28/
# https://hg.python.org/cpython/rev/5533a9e02b21 # https://hg.python.org/cpython/rev/5533a9e02b21
# Fix possible integer overflow and heap corruption in zipimporter.get_data() # Fix possible integer overflow and heap corruption in zipimporter.get_data()
# FIXED UPSTREAM: https://bugs.python.org/issue26171 # FIXED UPSTREAM: https://bugs.python.org/issue26171
Patch209: 00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch Patch241: 00241-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch
# 00210 #
# CVE-2016-0772 python: smtplib StartTLS stripping attack
# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
# rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/d590114c2394
# Raise an error when STARTTLS fails
Patch210: 00210-Raise-an-error-when-STARTTLS-fails.patch
# 00211 #
# Fix test breakage with version 2.2.0 of Expat
# rhbz#1353918: https://bugzilla.redhat.com/show_bug.cgi?id=1353918
# NOT YET FIXED UPSTREAM: http://bugs.python.org/issue27369
Patch211: 00211-fix-test-pyexpat-failure.patch
# 00242 # # 00242 #
# HTTPoxy attack (CVE-2016-1000110)
# https://httpoxy.org/
# FIXED UPSTREAM: http://bugs.python.org/issue27568
# Based on a patch by Rémi Rampin
# Resolves: rhbz#1359177
Patch242: 00242-CVE-2016-1000110-httpoxy.patch
# 00243 #
# Fix the triplet used on 64-bit MIPS # Fix the triplet used on 64-bit MIPS
# rhbz#1322526: https://bugzilla.redhat.com/show_bug.cgi?id=1322526 # rhbz#1322526: https://bugzilla.redhat.com/show_bug.cgi?id=1322526
# Upstream uses Debian-like style mips64-linux-gnuabi64 # Upstream uses Debian-like style mips64-linux-gnuabi64
# Fedora needs the default mips64-linux-gnu # Fedora needs the default mips64-linux-gnu
Patch242: 00242-fix-mips64-triplet.patch Patch243: 00243-fix-mips64-triplet.patch
# (New patches go here ^^^) # (New patches go here ^^^)
# #
# When adding new patches to "python" and "python3" in Fedora 17 onwards, # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
# please try to keep the patch numbers in-sync between the two specfiles: # please try to keep the patch numbers in-sync between all specfiles.
# #
# - use the same patch number across both specfiles for conceptually-equivalent # More information, and a patch number catalog, is at:
# fixes, ideally with the same name
# #
# - when a patch is relevant to both specfiles, use the same introductory # https://fedoraproject.org/wiki/SIGs/Python/PythonPatches
# comment in both specfiles where possible (to improve "diff" output when
# comparing them)
#
# - when a patch is only relevant for one of the two specfiles, leave a gap
# in the patch numbering in the other specfile, adding a comment when
# omitting a patch, both in the manifest section here, and in the "prep"
# phase below
#
# Hopefully this will make it easier to ensure that all relevant fixes are
# applied to both versions.
# add correct arch for ppc64/ppc64le # add correct arch for ppc64/ppc64le
# it should be ppc64le-linux-gnu/ppc64-linux-gnu instead powerpc64le-linux-gnu/powerpc64-linux-gnu # it should be ppc64le-linux-gnu/ppc64-linux-gnu instead powerpc64le-linux-gnu/powerpc64-linux-gnu
@ -706,9 +704,10 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en
%patch207 -p1 %patch207 -p1
%patch208 -p1 %patch208 -p1
%patch209 -p1 %patch209 -p1
%patch210 -p1 %patch237 -p1
%patch211 -p1 %patch241 -p1
%patch242 -p1 %patch242 -p1
%patch243 -p1
# Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
# are many differences between 2.6 and the Python 3 library. # are many differences between 2.6 and the Python 3 library.
@ -1613,6 +1612,10 @@ rm -fr %{buildroot}
# ====================================================== # ======================================================
%changelog %changelog
* Tue Aug 09 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.5.1-15
- Fix for CVE-2016-1000110 HTTPoxy attack
- SPEC file cleanup
* Mon Aug 01 2016 Michal Toman <mtoman@fedoraproject.org> - 3.5.1-14 * Mon Aug 01 2016 Michal Toman <mtoman@fedoraproject.org> - 3.5.1-14
- Build properly on MIPS - Build properly on MIPS