Fix CVE-2014-4650 - CGIHTTPServer URL handling

Resolves: rhbz#1113529
2014-11-03 15:03:12 +01:00 · 2014-11-03 15:03:12 +01:00 · e0539fb2e7
parent 8d54999cc4
commit e0539fb2e7
2 changed files with 49 additions and 2 deletions
--- a/00197-fix-CVE-2014-4650.patch
+++ b/00197-fix-CVE-2014-4650.patch
@ -0,0 +1,34 @@
+# HG changeset patch
+# User Benjamin Peterson <benjamin@python.org>
+# Date 1402796473 25200
+# Node ID 847e288d6e93dba049c280f40979e16a1378d0f6
+# Parent  6f1f387759913d91cb307d2783b3a40c48fe7424# Parent  5676797f3a3eccaf38e2c500e77ed39c68923cc9
+merge 3.3 (#21766)
+
+diff --git a/Lib/http/server.py b/Lib/http/server.py
+--- a/Lib/http/server.py
+++ b/Lib/http/server.py
+@@ -977,7 +977,7 @@ class CGIHTTPRequestHandler(SimpleHTTPRe
+         (and the next character is a '/' or the end of the string).
+ 
+         """
+-        collapsed_path = _url_collapse_path(self.path)
+        collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path))
+         dir_sep = collapsed_path.find('/', 1)
+         head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
+         if head in self.cgi_directories:
+diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
+--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
+@@ -485,6 +485,11 @@ class CGIHTTPServerTestCase(BaseTestCase
+                 (res.read(), res.getheader('Content-type'), res.status))
+         self.assertEqual(os.environ['SERVER_SOFTWARE'], signature)
+ 
+    def test_urlquote_decoding_in_cgi_check(self):
+        res = self.request('/cgi-bin%2ffile1.py')
+        self.assertEqual((b'Hello World\n', 'text/html', 200),
+                (res.read(), res.getheader('Content-type'), res.status))
+
+ 
+ class SocketlessRequestHandler(SimpleHTTPRequestHandler):
+     def __init__(self):
--- a/python3.spec
+++ b/python3.spec
@ -140,7 +140,7 @@
 Summary: Version 3 of the Python programming language aka Python 3000
 Name: python3
 Version: %{pybasever}.1
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: Python
 Group: Development/Languages

@ -689,6 +689,14 @@ Patch195: 00195-dont-add-Werror-declaration-after-statement.patch
 #  Fix test_gdb failure on ppc64le
 Patch196: 00196-test-gdb-match-addr-before-builtin.patch

+# 00197
+#
+# The CGIHTTPServer Python module did not properly handle URL-encoded
+# path separators in URLs. This may have enabled attackers to disclose a CGI
+# script's source code or execute arbitrary scripts in the server's
+# document root.
+Patch197: 00197-fix-CVE-2014-4650.patch
+

 # (New patches go here ^^^)
 #
@ -967,6 +975,7 @@ done
 %patch194 -p1
 %patch195 -p1
 %patch196 -p1
+%patch197 -p1

 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
 # are many differences between 2.6 and the Python 3 library.
@ -1856,7 +1865,11 @@ rm -fr %{buildroot}
 # ======================================================

 %changelog
-* Sun Sep 07 2014 Karsten Hopp <karsten@redhat.com> .1-15
+* Mon Nov 03 2014 Slavek Kabrda <bkabrda@redhat.com> - 3.4.1-16
+- Fix CVE-2014-4650 - CGIHTTPServer URL handling
+Resolves: rhbz#1113529
+
+* Sun Sep 07 2014 Karsten Hopp <karsten@redhat.com> 3.4.1-15
 - exclude test_gdb on ppc* (rhbz#1132488)

 * Thu Aug 21 2014 Slavek Kabrda <bkabrda@redhat.com> - 3.4.1-14