poky/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch - openbmc/openbmc - Gitiles

 From b161c89c8bd66fe928192e21364678c8e9b8fcc0 Mon Sep 17 00:00:00 2001
 From: Dong-hee Na <donghee.na92@gmail.com>
 Date: Tue, 1 Oct 2019 19:58:01 +0900
 Subject: [PATCH] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer
  (GH-16447)

 Escape the server title of DocXMLRPCServer.DocXMLRPCServer
 when rendering the document page as HTML.

 CVE: CVE-2019-16935

 Upstream-Status: Backport [https://github.com/python/cpython/pull/16447/commits/b41cde823d026f2adc21ef14b1c2e92b1006de06]

 Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
 ---
  Lib/DocXMLRPCServer.py                        | 13 +++++++++++-
  Lib/test/test_docxmlrpc.py                    | 20 +++++++++++++++++++
  .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst  |  3 +++
  3 files changed, 35 insertions(+), 1 deletion(-)
  create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst

 diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py
 index 4064ec2e48..90b037dd35 100644
 --- a/Lib/DocXMLRPCServer.py
 +++ b/Lib/DocXMLRPCServer.py
 @@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXMLRPCServer,
              CGIXMLRPCRequestHandler,
              resolve_dotted_attribute)

 +
 +def _html_escape_quote(s):
 +    s = s.replace("&", "&amp;") # Must be done first!
 +    s = s.replace("<", "&lt;")
 +    s = s.replace(">", "&gt;")
 +    s = s.replace('"', "&quot;")
 +    s = s.replace('\'', "&#x27;")
 +    return s
 +
 +
  class ServerHTMLDoc(pydoc.HTMLDoc):
      """Class used to generate pydoc HTML document for a server"""

 @@ -210,7 +220,8 @@ class XMLRPCDocGenerator:
                                  methods
                              )

 -        return documenter.page(self.server_title, documentation)
 +        title = _html_escape_quote(self.server_title)
 +        return documenter.page(title, documentation)

  class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
      """XML-RPC and documentation request handler class.
 diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
 index 4dff4159e2..c45b892b8b 100644
 --- a/Lib/test/test_docxmlrpc.py
 +++ b/Lib/test/test_docxmlrpc.py
 @@ -1,5 +1,6 @@
  from DocXMLRPCServer import DocXMLRPCServer
  import httplib
 +import re
  import sys
  from test import test_support
  threading = test_support.import_module('threading')
 @@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase):
          self.assertIn("""Try&nbsp;self.<strong>add</strong>,&nbsp;too.""",
                        response.read())

 +    def test_server_title_escape(self):
 +        """Test that the server title and documentation
 +        are escaped for HTML.
 +        """
 +        self.serv.set_server_title('test_title<script>')
 +        self.serv.set_server_documentation('test_documentation<script>')
 +        self.assertEqual('test_title<script>', self.serv.server_title)
 +        self.assertEqual('test_documentation<script>',
 +                self.serv.server_documentation)
 +
 +        generated = self.serv.generate_html_documentation()
 +        title = re.search(r'<title>(.+?)</title>', generated).group()
 +        documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
 +        self.assertEqual('<title>Python: test_title&lt;script&gt;</title>',
 +                title)
 +        self.assertEqual('<p><tt>test_documentation&lt;script&gt;</tt></p>',
 +                documentation)
 +
 +
  def test_main():
      test_support.run_unittest(DocXMLRPCHTTPGETServer)

 diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
 new file mode 100644
 index 0000000000..8f02baed9e
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
 @@ -0,0 +1,3 @@
 +Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer`
 +when rendering the document page as HTML.
 +(Contributed by Dong-hee Na in :issue:`38243`.)
 --
 2.17.1
	From b161c89c8bd66fe928192e21364678c8e9b8fcc0 Mon Sep 17 00:00:00 2001
	From: Dong-hee Na <donghee.na92@gmail.com>
	Date: Tue, 1 Oct 2019 19:58:01 +0900
	Subject: [PATCH] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer
	(GH-16447)

	Escape the server title of DocXMLRPCServer.DocXMLRPCServer
	when rendering the document page as HTML.

	CVE: CVE-2019-16935

	Upstream-Status: Backport [https://github.com/python/cpython/pull/16447/commits/b41cde823d026f2adc21ef14b1c2e92b1006de06]

	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
	---
	Lib/DocXMLRPCServer.py \| 13 +++++++++++-
	Lib/test/test_docxmlrpc.py \| 20 +++++++++++++++++++
	.../2019-09-25-13-21-09.bpo-38243.1pfz24.rst \| 3 +++
	3 files changed, 35 insertions(+), 1 deletion(-)
	create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst

	diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py
	index 4064ec2e48..90b037dd35 100644
	--- a/Lib/DocXMLRPCServer.py
	+++ b/Lib/DocXMLRPCServer.py
	@@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXMLRPCServer,
	CGIXMLRPCRequestHandler,
	resolve_dotted_attribute)

	+
	+def _html_escape_quote(s):
	+ s = s.replace("&", "&") # Must be done first!
	+ s = s.replace("<", "<")
	+ s = s.replace(">", ">")
	+ s = s.replace('"', """)
	+ s = s.replace('\'', "'")
	+ return s
	+
	+
	class ServerHTMLDoc(pydoc.HTMLDoc):
	"""Class used to generate pydoc HTML document for a server"""

	@@ -210,7 +220,8 @@ class XMLRPCDocGenerator:
	methods
	)

	- return documenter.page(self.server_title, documentation)
	+ title = _html_escape_quote(self.server_title)
	+ return documenter.page(title, documentation)

	class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
	"""XML-RPC and documentation request handler class.
	diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
	index 4dff4159e2..c45b892b8b 100644
	--- a/Lib/test/test_docxmlrpc.py
	+++ b/Lib/test/test_docxmlrpc.py
	@@ -1,5 +1,6 @@
	from DocXMLRPCServer import DocXMLRPCServer
	import httplib
	+import re
	import sys
	from test import test_support
	threading = test_support.import_module('threading')
	@@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase):
	self.assertIn("""Try self.<strong>add</strong>, too.""",
	response.read())

	+ def test_server_title_escape(self):
	+ """Test that the server title and documentation
	+ are escaped for HTML.
	+ """
	+ self.serv.set_server_title('test_title<script>')
	+ self.serv.set_server_documentation('test_documentation<script>')
	+ self.assertEqual('test_title<script>', self.serv.server_title)
	+ self.assertEqual('test_documentation<script>',
	+ self.serv.server_documentation)
	+
	+ generated = self.serv.generate_html_documentation()
	+ title = re.search(r'<title>(.+?)</title>', generated).group()
	+ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
	+ self.assertEqual('<title>Python: test_title<script></title>',
	+ title)
	+ self.assertEqual('<p><tt>test_documentation<script></tt></p>',
	+ documentation)
	+
	+
	def test_main():
	test_support.run_unittest(DocXMLRPCHTTPGETServer)

	diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
	new file mode 100644
	index 0000000000..8f02baed9e
	--- /dev/null
	+++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
	@@ -0,0 +1,3 @@
	+Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer`
	+when rendering the document page as HTML.
	+(Contributed by Dong-hee Na in :issue:`38243`.)
	--
	2.17.1