Fix CVE-2014-4650 - CGIHTTPServer URL handling

Resolves: rhbz#1113529 Conflicts: python3.spec
2014-11-03 15:03:12 +01:00 · 2014-11-03 15:03:12 +01:00 · 899a2cefac
parent 0d23a9e8e7
commit 899a2cefac
2 changed files with 48 additions and 1 deletions
--- a/00197-fix-CVE-2014-4650.patch
+++ b/00197-fix-CVE-2014-4650.patch
@ -0,0 +1,34 @@
+# HG changeset patch
+# User Benjamin Peterson <benjamin@python.org>
+# Date 1402796473 25200
+# Node ID 847e288d6e93dba049c280f40979e16a1378d0f6
+# Parent  6f1f387759913d91cb307d2783b3a40c48fe7424# Parent  5676797f3a3eccaf38e2c500e77ed39c68923cc9
+merge 3.3 (#21766)
+
+diff --git a/Lib/http/server.py b/Lib/http/server.py
+--- a/Lib/http/server.py
+++ b/Lib/http/server.py
+@@ -977,7 +977,7 @@ class CGIHTTPRequestHandler(SimpleHTTPRe
+         (and the next character is a '/' or the end of the string).
+ 
+         """
+-        collapsed_path = _url_collapse_path(self.path)
+        collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path))
+         dir_sep = collapsed_path.find('/', 1)
+         head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
+         if head in self.cgi_directories:
+diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
+--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
+@@ -485,6 +485,11 @@ class CGIHTTPServerTestCase(BaseTestCase
+                 (res.read(), res.getheader('Content-type'), res.status))
+         self.assertEqual(os.environ['SERVER_SOFTWARE'], signature)
+ 
+    def test_urlquote_decoding_in_cgi_check(self):
+        res = self.request('/cgi-bin%2ffile1.py')
+        self.assertEqual((b'Hello World\n', 'text/html', 200),
+                (res.read(), res.getheader('Content-type'), res.status))
+
+ 
+ class SocketlessRequestHandler(SimpleHTTPRequestHandler):
+     def __init__(self):
--- a/python3.spec
+++ b/python3.spec
@ -126,7 +126,7 @@
 Summary: Version 3 of the Python programming language aka Python 3000
 Name: python3
 Version: %{pybasever}.2
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: Python
 Group: Development/Languages

@ -634,6 +634,14 @@ Patch187: 00187-change-match_hostname-to-follow-RFC-6125.patch
 # rhbz#1112293
 Patch188: 00188-json-add-boundary-check.patch

+# 00197
+#
+# The CGIHTTPServer Python module did not properly handle URL-encoded
+# path separators in URLs. This may have enabled attackers to disclose a CGI
+# script's source code or execute arbitrary scripts in the server's
+# document root.
+Patch197: 00197-fix-CVE-2014-4650.patch
+

 # (New patches go here ^^^)
 #
@ -897,6 +905,7 @@ done
 %patch186 -p1
 %patch187 -p1
 %patch188 -p1
+%patch197 -p1

 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
 # are many differences between 2.6 and the Python 3 library.
@ -1744,6 +1753,10 @@ rm -fr %{buildroot}
 # ======================================================

 %changelog
+* Mon Nov 03 2014 Slavek Kabrda <bkabrda@redhat.com> - 3.3.2-18
+- Fix CVE-2014-4650 - CGIHTTPServer URL handling
+Resolves: rhbz#1113529
+
 * Mon Jun 30 2014 Matej Stuchlik <mstuchli@redhat.com> - 3.3.2-9
 - JSON module could read arbitrary process memory
 Resolves: rhbz#1112293