Fix for CVE-2016-1000110 HTTPoxy attack
This commit is contained in:
parent
4bc70e0cc0
commit
77a5f91947
100
00242-CVE-2016-1000110-httpoxy.patch
Normal file
100
00242-CVE-2016-1000110-httpoxy.patch
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
|
||||||
|
# HG changeset patch
|
||||||
|
# User Senthil Kumaran <senthil@uthcode.com>
|
||||||
|
# Date 1469947146 25200
|
||||||
|
# Node ID a0ac52ed8f7918222603b584ec8fc93d9b7bc0a5
|
||||||
|
# Parent 4cb94e561e2db9865fb4d752f2bceefca4c6819a# Parent 3c19023c9fec5a615c25598468b44fade89049ce
|
||||||
|
[merge from 3.4] - Prevent HTTPoxy attack (CVE-2016-1000110)
|
||||||
|
|
||||||
|
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
|
||||||
|
indicates that the script is in CGI mode.
|
||||||
|
|
||||||
|
Issue #27568 Reported and patch contributed by Rémi Rampin.
|
||||||
|
|
||||||
|
diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
|
||||||
|
--- a/Doc/howto/urllib2.rst
|
||||||
|
+++ b/Doc/howto/urllib2.rst
|
||||||
|
@@ -538,6 +538,11 @@ setting up a `Basic Authentication`_ han
|
||||||
|
through a proxy. However, this can be enabled by extending urllib.request as
|
||||||
|
shown in the recipe [#]_.
|
||||||
|
|
||||||
|
+.. note::
|
||||||
|
+
|
||||||
|
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
|
||||||
|
+ the documentation on :func:`~urllib.request.getproxies`.
|
||||||
|
+
|
||||||
|
|
||||||
|
Sockets and Layers
|
||||||
|
==================
|
||||||
|
diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
|
||||||
|
--- a/Doc/library/urllib.request.rst
|
||||||
|
+++ b/Doc/library/urllib.request.rst
|
||||||
|
@@ -166,6 +166,16 @@ The :mod:`urllib.request` module defines the following functions:
|
||||||
|
cannot find it, looks for proxy information from Mac OSX System
|
||||||
|
Configuration for Mac OS X and Windows Systems Registry for Windows.
|
||||||
|
|
||||||
|
+ .. note::
|
||||||
|
+
|
||||||
|
+ If the environment variable ``REQUEST_METHOD`` is set, which usually
|
||||||
|
+ indicates your script is running in a CGI environment, the environment
|
||||||
|
+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
|
||||||
|
+ because that variable can be injected by a client using the "Proxy:" HTTP
|
||||||
|
+ header. If you need to use an HTTP proxy in a CGI environment, either use
|
||||||
|
+ ``ProxyHandler`` explicitly, or make sure the variable name is in
|
||||||
|
+ lowercase (or at least the ``_proxy`` suffix).
|
||||||
|
+
|
||||||
|
|
||||||
|
The following classes are provided:
|
||||||
|
|
||||||
|
@@ -275,6 +285,12 @@ The following classes are provided:
|
||||||
|
|
||||||
|
To disable autodetected proxy pass an empty dictionary.
|
||||||
|
|
||||||
|
+ .. note::
|
||||||
|
+
|
||||||
|
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
|
||||||
|
+ see the documentation on :func:`~urllib.request.getproxies`.
|
||||||
|
+
|
||||||
|
+
|
||||||
|
|
||||||
|
.. class:: HTTPPasswordMgr()
|
||||||
|
|
||||||
|
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
|
||||||
|
--- a/Lib/test/test_urllib.py
|
||||||
|
+++ b/Lib/test/test_urllib.py
|
||||||
|
@@ -225,6 +225,18 @@ class ProxyTests(unittest.TestCase):
|
||||||
|
self.env.set('NO_PROXY', 'localhost, anotherdomain.com, newdomain.com')
|
||||||
|
self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com'))
|
||||||
|
|
||||||
|
+ def test_proxy_cgi_ignore(self):
|
||||||
|
+ try:
|
||||||
|
+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
|
||||||
|
+ proxies = urllib.request.getproxies_environment()
|
||||||
|
+ self.assertEqual('http://somewhere:3128', proxies['http'])
|
||||||
|
+ self.env.set('REQUEST_METHOD', 'GET')
|
||||||
|
+ proxies = urllib.request.getproxies_environment()
|
||||||
|
+ self.assertNotIn('http', proxies)
|
||||||
|
+ finally:
|
||||||
|
+ self.env.unset('REQUEST_METHOD')
|
||||||
|
+ self.env.unset('HTTP_PROXY')
|
||||||
|
+
|
||||||
|
class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin, FakeFTPMixin):
|
||||||
|
"""Test urlopen() opening a fake http connection."""
|
||||||
|
|
||||||
|
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
|
||||||
|
--- a/Lib/urllib/request.py
|
||||||
|
+++ b/Lib/urllib/request.py
|
||||||
|
@@ -2394,6 +2394,12 @@ def getproxies_environment():
|
||||||
|
name = name.lower()
|
||||||
|
if value and name[-6:] == '_proxy':
|
||||||
|
proxies[name[:-6]] = value
|
||||||
|
+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
|
||||||
|
+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
|
||||||
|
+ # header from the client
|
||||||
|
+ # If "proxy" is lowercase, it will still be used thanks to the next block
|
||||||
|
+ if 'REQUEST_METHOD' in os.environ:
|
||||||
|
+ proxies.pop('http', None)
|
||||||
|
return proxies
|
||||||
|
|
||||||
|
def proxy_bypass_environment(host):
|
||||||
|
|
73
python3.spec
73
python3.spec
@ -2,7 +2,7 @@
|
|||||||
# Conditionals and other variables controlling the build
|
# Conditionals and other variables controlling the build
|
||||||
# ======================================================
|
# ======================================================
|
||||||
|
|
||||||
# NOTES ON BOOTSTRAPING PYTHON 3.4:
|
# NOTES ON BOOTSTRAPING PYTHON 3.5:
|
||||||
#
|
#
|
||||||
# Due to dependency cycle between Python, pip, setuptools and
|
# Due to dependency cycle between Python, pip, setuptools and
|
||||||
# wheel caused by the rewheel patch, one has to build in the
|
# wheel caused by the rewheel patch, one has to build in the
|
||||||
@ -112,7 +112,7 @@
|
|||||||
Summary: Version 3 of the Python programming language aka Python 3000
|
Summary: Version 3 of the Python programming language aka Python 3000
|
||||||
Name: python3
|
Name: python3
|
||||||
Version: %{pybasever}.1
|
Version: %{pybasever}.1
|
||||||
Release: 14%{?dist}
|
Release: 15%{?dist}
|
||||||
License: Python
|
License: Python
|
||||||
Group: Development/Languages
|
Group: Development/Languages
|
||||||
|
|
||||||
@ -429,54 +429,52 @@ Patch207: 00207-math-once.patch
|
|||||||
Patch208: 00208-disable-test_with_pip-on-ppc.patch
|
Patch208: 00208-disable-test_with_pip-on-ppc.patch
|
||||||
|
|
||||||
# 00209 #
|
# 00209 #
|
||||||
|
# Fix test breakage with version 2.2.0 of Expat
|
||||||
|
# rhbz#1353918: https://bugzilla.redhat.com/show_bug.cgi?id=1353918
|
||||||
|
# FIXED UPSTREAM: http://bugs.python.org/issue27369
|
||||||
|
Patch209: 00209-fix-test-pyexpat-failure.patch
|
||||||
|
|
||||||
|
# 00237 #
|
||||||
|
# CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||||
|
# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
||||||
|
# rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
|
||||||
|
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/d590114c2394
|
||||||
|
# Raise an error when STARTTLS fails
|
||||||
|
Patch237: 00237-Raise-an-error-when-STARTTLS-fails.patch
|
||||||
|
|
||||||
|
# 00241 #
|
||||||
# CVE-2016-5636: http://seclists.org/oss-sec/2016/q2/560
|
# CVE-2016-5636: http://seclists.org/oss-sec/2016/q2/560
|
||||||
# rhbz#1345859: https://bugzilla.redhat.com/show_bug.cgi?id=1345859
|
# rhbz#1345859: https://bugzilla.redhat.com/show_bug.cgi?id=1345859
|
||||||
# https://hg.python.org/cpython/rev/10dad6da1b28/
|
# https://hg.python.org/cpython/rev/10dad6da1b28/
|
||||||
# https://hg.python.org/cpython/rev/5533a9e02b21
|
# https://hg.python.org/cpython/rev/5533a9e02b21
|
||||||
# Fix possible integer overflow and heap corruption in zipimporter.get_data()
|
# Fix possible integer overflow and heap corruption in zipimporter.get_data()
|
||||||
# FIXED UPSTREAM: https://bugs.python.org/issue26171
|
# FIXED UPSTREAM: https://bugs.python.org/issue26171
|
||||||
Patch209: 00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch
|
Patch241: 00241-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch
|
||||||
|
|
||||||
# 00210 #
|
|
||||||
# CVE-2016-0772 python: smtplib StartTLS stripping attack
|
|
||||||
# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
|
||||||
# rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
|
|
||||||
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/d590114c2394
|
|
||||||
# Raise an error when STARTTLS fails
|
|
||||||
Patch210: 00210-Raise-an-error-when-STARTTLS-fails.patch
|
|
||||||
|
|
||||||
# 00211 #
|
|
||||||
# Fix test breakage with version 2.2.0 of Expat
|
|
||||||
# rhbz#1353918: https://bugzilla.redhat.com/show_bug.cgi?id=1353918
|
|
||||||
# NOT YET FIXED UPSTREAM: http://bugs.python.org/issue27369
|
|
||||||
Patch211: 00211-fix-test-pyexpat-failure.patch
|
|
||||||
|
|
||||||
# 00242 #
|
# 00242 #
|
||||||
|
# HTTPoxy attack (CVE-2016-1000110)
|
||||||
|
# https://httpoxy.org/
|
||||||
|
# FIXED UPSTREAM: http://bugs.python.org/issue27568
|
||||||
|
# Based on a patch by Rémi Rampin
|
||||||
|
# Resolves: rhbz#1359177
|
||||||
|
Patch242: 00242-CVE-2016-1000110-httpoxy.patch
|
||||||
|
|
||||||
|
# 00243 #
|
||||||
# Fix the triplet used on 64-bit MIPS
|
# Fix the triplet used on 64-bit MIPS
|
||||||
# rhbz#1322526: https://bugzilla.redhat.com/show_bug.cgi?id=1322526
|
# rhbz#1322526: https://bugzilla.redhat.com/show_bug.cgi?id=1322526
|
||||||
# Upstream uses Debian-like style mips64-linux-gnuabi64
|
# Upstream uses Debian-like style mips64-linux-gnuabi64
|
||||||
# Fedora needs the default mips64-linux-gnu
|
# Fedora needs the default mips64-linux-gnu
|
||||||
Patch242: 00242-fix-mips64-triplet.patch
|
Patch243: 00243-fix-mips64-triplet.patch
|
||||||
|
|
||||||
# (New patches go here ^^^)
|
# (New patches go here ^^^)
|
||||||
#
|
#
|
||||||
# When adding new patches to "python" and "python3" in Fedora 17 onwards,
|
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||||
# please try to keep the patch numbers in-sync between the two specfiles:
|
# please try to keep the patch numbers in-sync between all specfiles.
|
||||||
#
|
#
|
||||||
# - use the same patch number across both specfiles for conceptually-equivalent
|
# More information, and a patch number catalog, is at:
|
||||||
# fixes, ideally with the same name
|
|
||||||
#
|
#
|
||||||
# - when a patch is relevant to both specfiles, use the same introductory
|
# https://fedoraproject.org/wiki/SIGs/Python/PythonPatches
|
||||||
# comment in both specfiles where possible (to improve "diff" output when
|
|
||||||
# comparing them)
|
|
||||||
#
|
|
||||||
# - when a patch is only relevant for one of the two specfiles, leave a gap
|
|
||||||
# in the patch numbering in the other specfile, adding a comment when
|
|
||||||
# omitting a patch, both in the manifest section here, and in the "prep"
|
|
||||||
# phase below
|
|
||||||
#
|
|
||||||
# Hopefully this will make it easier to ensure that all relevant fixes are
|
|
||||||
# applied to both versions.
|
|
||||||
|
|
||||||
# add correct arch for ppc64/ppc64le
|
# add correct arch for ppc64/ppc64le
|
||||||
# it should be ppc64le-linux-gnu/ppc64-linux-gnu instead powerpc64le-linux-gnu/powerpc64-linux-gnu
|
# it should be ppc64le-linux-gnu/ppc64-linux-gnu instead powerpc64le-linux-gnu/powerpc64-linux-gnu
|
||||||
@ -706,9 +704,10 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en
|
|||||||
%patch207 -p1
|
%patch207 -p1
|
||||||
%patch208 -p1
|
%patch208 -p1
|
||||||
%patch209 -p1
|
%patch209 -p1
|
||||||
%patch210 -p1
|
%patch237 -p1
|
||||||
%patch211 -p1
|
%patch241 -p1
|
||||||
%patch242 -p1
|
%patch242 -p1
|
||||||
|
%patch243 -p1
|
||||||
|
|
||||||
# Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
|
# Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
|
||||||
# are many differences between 2.6 and the Python 3 library.
|
# are many differences between 2.6 and the Python 3 library.
|
||||||
@ -1613,6 +1612,10 @@ rm -fr %{buildroot}
|
|||||||
# ======================================================
|
# ======================================================
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 09 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.5.1-15
|
||||||
|
- Fix for CVE-2016-1000110 HTTPoxy attack
|
||||||
|
- SPEC file cleanup
|
||||||
|
|
||||||
* Mon Aug 01 2016 Michal Toman <mtoman@fedoraproject.org> - 3.5.1-14
|
* Mon Aug 01 2016 Michal Toman <mtoman@fedoraproject.org> - 3.5.1-14
|
||||||
- Build properly on MIPS
|
- Build properly on MIPS
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user