Fix for CVE-2016-1000110 HTTPoxy attack

This commit is contained in:
Charalampos Stratakis 2016-08-09 14:27:26 +02:00
parent 8231a6035b
commit 4017ecdf5c
6 changed files with 144 additions and 41 deletions

View File

@ -0,0 +1,100 @@
# HG changeset patch
# User Senthil Kumaran <senthil@uthcode.com>
# Date 1469947146 25200
# Node ID a0ac52ed8f7918222603b584ec8fc93d9b7bc0a5
# Parent 4cb94e561e2db9865fb4d752f2bceefca4c6819a# Parent 3c19023c9fec5a615c25598468b44fade89049ce
[merge from 3.4] - Prevent HTTPoxy attack (CVE-2016-1000110)
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
indicates that the script is in CGI mode.
Issue #27568 Reported and patch contributed by Rémi Rampin.
diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
--- a/Doc/howto/urllib2.rst
+++ b/Doc/howto/urllib2.rst
@@ -538,6 +538,11 @@ setting up a `Basic Authentication`_ han
through a proxy. However, this can be enabled by extending urllib.request as
shown in the recipe [#]_.
+.. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
+ the documentation on :func:`~urllib.request.getproxies`.
+
Sockets and Layers
==================
diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
--- a/Doc/library/urllib.request.rst
+++ b/Doc/library/urllib.request.rst
@@ -166,6 +166,16 @@ The :mod:`urllib.request` module defines the following functions:
cannot find it, looks for proxy information from Mac OSX System
Configuration for Mac OS X and Windows Systems Registry for Windows.
+ .. note::
+
+ If the environment variable ``REQUEST_METHOD`` is set, which usually
+ indicates your script is running in a CGI environment, the environment
+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
+ because that variable can be injected by a client using the "Proxy:" HTTP
+ header. If you need to use an HTTP proxy in a CGI environment, either use
+ ``ProxyHandler`` explicitly, or make sure the variable name is in
+ lowercase (or at least the ``_proxy`` suffix).
+
The following classes are provided:
@@ -275,6 +285,12 @@ The following classes are provided:
To disable autodetected proxy pass an empty dictionary.
+ .. note::
+
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
+ see the documentation on :func:`~urllib.request.getproxies`.
+
+
.. class:: HTTPPasswordMgr()
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
--- a/Lib/test/test_urllib.py
+++ b/Lib/test/test_urllib.py
@@ -225,6 +225,18 @@ class ProxyTests(unittest.TestCase):
self.env.set('NO_PROXY', 'localhost, anotherdomain.com, newdomain.com')
self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com'))
+ def test_proxy_cgi_ignore(self):
+ try:
+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
+ proxies = urllib.request.getproxies_environment()
+ self.assertEqual('http://somewhere:3128', proxies['http'])
+ self.env.set('REQUEST_METHOD', 'GET')
+ proxies = urllib.request.getproxies_environment()
+ self.assertNotIn('http', proxies)
+ finally:
+ self.env.unset('REQUEST_METHOD')
+ self.env.unset('HTTP_PROXY')
+
class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin, FakeFTPMixin):
"""Test urlopen() opening a fake http connection."""
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -2394,6 +2394,12 @@ def getproxies_environment():
name = name.lower()
if value and name[-6:] == '_proxy':
proxies[name[:-6]] = value
+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
+ # header from the client
+ # If "proxy" is lowercase, it will still be used thanks to the next block
+ if 'REQUEST_METHOD' in os.environ:
+ proxies.pop('http', None)
return proxies
def proxy_bypass_environment(host):

View File

@ -140,7 +140,7 @@
Summary: Version 3 of the Python programming language aka Python 3000
Name: python3
Version: %{pybasever}.3
Release: 11%{?dist}
Release: 12%{?dist}
License: Python
Group: Development/Languages
@ -731,55 +731,53 @@ Patch203: 00203-disable-threading-test-koji.patch
Patch204: 00204-increase-dh-keys-size.patch
# 00209 #
# Fix test breakage with version 2.2.0 of Expat
# rhbz#1353918: https://bugzilla.redhat.com/show_bug.cgi?id=1353918
# FIXED UPSTREAM: http://bugs.python.org/issue27369
Patch209: 00209-fix-test-pyexpat-failure.patch
# 00237 #
# CVE-2016-0772 python: smtplib StartTLS stripping attack
# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
# rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/d590114c2394
# Raise an error when STARTTLS fails
Patch237: 00237-Raise-an-error-when-STARTTLS-fails.patch
# 00238 #
# CVE-2016-5699 python: http protocol steam injection attack
# https://bugzilla.redhat.com/show_bug.cgi?id=1303699
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/bf3e1c9b80e9
# Disabled HTTP header injections in http.client
# Resolves: rhbz#1331392
Patch238: 00238-Disabled-HTTP-header-injections-in-http-client.patch
# 00241 #
# CVE-2016-5636: http://seclists.org/oss-sec/2016/q2/560
# rhbz#1345859: https://bugzilla.redhat.com/show_bug.cgi?id=1345859
# https://hg.python.org/cpython/rev/10dad6da1b28/
# https://hg.python.org/cpython/rev/5533a9e02b21
# Fix possible integer overflow and heap corruption in zipimporter.get_data()
# FIXED UPSTREAM: https://bugs.python.org/issue26171
Patch209: 00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch
Patch241: 00241-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch
# 00210 #
# CVE-2016-0772 python: smtplib StartTLS stripping attack
# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
# rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/d590114c2394
# Raise an error when STARTTLS fails
Patch210: 00210-Raise-an-error-when-STARTTLS-fails.patch
# 00211 #
# CVE-2016-5699 python: http protocol steam injection attack
# https://bugzilla.redhat.com/show_bug.cgi?id=1303699
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/bf3e1c9b80e9
# Disabled HTTP header injections in http.client
# Resolves: rhbz#1331392
Patch211: 00211-Disabled-HTTP-header-injections-in-http-client.patch
# 00212 #
# Fix test breakage with version 2.2.0 of Expat
# rhbz#1353918: https://bugzilla.redhat.com/show_bug.cgi?id=1353918
# NOT YET FIXED UPSTREAM: http://bugs.python.org/issue27369
Patch212: 00212-fix-test-pyexpat-failure.patch
# 00242 #
# HTTPoxy attack (CVE-2016-1000110)
# https://httpoxy.org/
# FIXED UPSTREAM: http://bugs.python.org/issue27568
# Based on a patch by Rémi Rampin
# Resolves: rhbz#1359177
Patch242: 00242-CVE-2016-1000110-httpoxy.patch
# (New patches go here ^^^)
#
# When adding new patches to "python" and "python3" in Fedora 17 onwards,
# please try to keep the patch numbers in-sync between the two specfiles:
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
# please try to keep the patch numbers in-sync between all specfiles.
#
# - use the same patch number across both specfiles for conceptually-equivalent
# fixes, ideally with the same name
# More information, and a patch number catalog, is at:
#
# - when a patch is relevant to both specfiles, use the same introductory
# comment in both specfiles where possible (to improve "diff" output when
# comparing them)
#
# - when a patch is only relevant for one of the two specfiles, leave a gap
# in the patch numbering in the other specfile, adding a comment when
# omitting a patch, both in the manifest section here, and in the "prep"
# phase below
#
# Hopefully this will make it easier to ensure that all relevant fixes are
# applied to both versions.
# https://fedoraproject.org/wiki/SIGs/Python/PythonPatches
# This is the generated patch to "configure"; see the description of
# %{regenerate_autotooling_patch}
@ -1053,9 +1051,10 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en
%patch204 -p1
%patch209 -p1
%patch210 -p1
%patch211 -p1
%patch212 -p1
%patch237 -p1
%patch238 -p1
%patch241 -p1
%patch242 -p1
# Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
# are many differences between 2.6 and the Python 3 library.
@ -1950,6 +1949,10 @@ rm -fr %{buildroot}
# ======================================================
%changelog
* Tue Aug 09 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.4.3-12
- Fix for CVE-2016-1000110 HTTPoxy attack
- SPEC file cleanup
* Mon Jul 11 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.4.3-11
- Refactor patch for properly fixing CVE-2016-5636