import-layers/yocto-poky/meta/recipes-devtools/python/python/python-fix-CVE-2016-1000110.patch - openbmc/openbmc - Gitiles

 From cb25fbd5abc0f4eb07dbb8ea819e9c26bda4fc99 Mon Sep 17 00:00:00 2001
 From: Senthil Kumaran <senthil@uthcode.com>
 Date: Sat, 30 Jul 2016 05:49:53 -0700
 Subject: [PATCH] python: fix CVE-2016-1000110
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 Prevent HTTPoxy attack (CVE-2016-1000110)

 Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
 indicates that the script is in CGI mode.

 Issue reported and patch contributed by Rémi Rampin.

 Backport patch from https://hg.python.org/cpython/rev/ba915d561667/

 Upstream-Status: Backport
 CVE: CVE-2016-1000110
 Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
 ---
  Doc/howto/urllib2.rst   |  5 +++++
  Doc/library/urllib.rst  | 10 ++++++++++
  Doc/library/urllib2.rst |  5 +++++
  Lib/test/test_urllib.py | 12 ++++++++++++
  Lib/urllib.py           |  9 +++++++++
  Misc/ACKS               |  1 +
  Misc/NEWS               |  4 ++++
  7 files changed, 46 insertions(+)

 diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
 index 6bb06d4..5cf2c0c 100644
 --- a/Doc/howto/urllib2.rst
 +++ b/Doc/howto/urllib2.rst
 @@ -525,6 +525,11 @@ setting up a `Basic Authentication`_ handler: ::
      through a proxy.  However, this can be enabled by extending urllib2 as
      shown in the recipe [#]_.

 +.. note::
 +
 +    ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
 +    the documentation on :func:`~urllib.getproxies`.
 +

  Sockets and Layers
  ==================
 diff --git a/Doc/library/urllib.rst b/Doc/library/urllib.rst
 index 3b5dc16..bddcba9 100644
 --- a/Doc/library/urllib.rst
 +++ b/Doc/library/urllib.rst
 @@ -295,6 +295,16 @@ Utility functions
     If both lowercase and uppercase environment variables exist (and disagree),
     lowercase is preferred.

 +    .. note::
 +
 +        If the environment variable ``REQUEST_METHOD`` is set, which usually
 +        indicates your script is running in a CGI environment, the environment
 +        variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
 +        because that variable can be injected by a client using the "Proxy:"
 +        HTTP header. If you need to use an HTTP proxy in a CGI environment,
 +        either use ``ProxyHandler`` explicitly, or make sure the variable name
 +        is in lowercase (or at least the ``_proxy`` suffix).
 +
  .. note::
      urllib also exposes certain utility functions like splittype, splithost and
      others parsing URL into various components. But it is recommended to use
 diff --git a/Doc/library/urllib2.rst b/Doc/library/urllib2.rst
 index 8a4c80e..b808b98 100644
 --- a/Doc/library/urllib2.rst
 +++ b/Doc/library/urllib2.rst
 @@ -229,6 +229,11 @@ The following classes are provided:

     To disable autodetected proxy pass an empty dictionary.

 +    .. note::
 +
 +       ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
 +       see the documentation on :func:`~urllib.getproxies`.
 +

  .. class:: HTTPPasswordMgr()

 diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
 index 434d533..27a1d38 100644
 --- a/Lib/test/test_urllib.py
 +++ b/Lib/test/test_urllib.py
 @@ -170,6 +170,18 @@ class ProxyTests(unittest.TestCase):
          self.assertTrue(urllib.proxy_bypass_environment('anotherdomain.com:8888'))
          self.assertTrue(urllib.proxy_bypass_environment('newdomain.com:1234'))

 +    def test_proxy_cgi_ignore(self):
 +        try:
 +            self.env.set('HTTP_PROXY', 'http://somewhere:3128')
 +            proxies = urllib.getproxies_environment()
 +            self.assertEqual('http://somewhere:3128', proxies['http'])
 +            self.env.set('REQUEST_METHOD', 'GET')
 +            proxies = urllib.getproxies_environment()
 +            self.assertNotIn('http', proxies)
 +        finally:
 +            self.env.unset('REQUEST_METHOD')
 +            self.env.unset('HTTP_PROXY')
 +
      def test_proxy_bypass_environment_host_match(self):
          bypass = urllib.proxy_bypass_environment
          self.env.set('NO_PROXY',
 diff --git a/Lib/urllib.py b/Lib/urllib.py
 index 139fab9..c3ba2c9 100644
 --- a/Lib/urllib.py
 +++ b/Lib/urllib.py
 @@ -1380,12 +1380,21 @@ def getproxies_environment():
      If you need a different way, you can pass a proxies dictionary to the
      [Fancy]URLopener constructor.
      """
 +    # Get all variables
      proxies = {}
      for name, value in os.environ.items():
          name = name.lower()
          if value and name[-6:] == '_proxy':
              proxies[name[:-6]] = value

 +    # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
 +    # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
 +    # header from the client
 +    # If "proxy" is lowercase, it will still be used thanks to the next block
 +    if 'REQUEST_METHOD' in os.environ:
 +        proxies.pop('http', None)
 +
 +    # Get lowercase variables
      for name, value in os.environ.items():
          if name[-6:] == '_proxy':
              name = name.lower()
 diff --git a/Misc/ACKS b/Misc/ACKS
 index ee3a465..9c374b7 100644
 --- a/Misc/ACKS
 +++ b/Misc/ACKS
 @@ -1121,6 +1121,7 @@ Burton Radons
  Jeff Ramnani
  Varpu Rantala
  Brodie Rao
 +Rémi Rampin
  Senko Rasic
  Antti Rasinen
  Nikolaus Rath
 diff --git a/Misc/NEWS b/Misc/NEWS
 index 4ab3a70..cc2f65b 100644
 --- a/Misc/NEWS
 +++ b/Misc/NEWS
 @@ -187,6 +187,10 @@ Library
  - Issue #26644: Raise ValueError rather than SystemError when a negative
    length is passed to SSLSocket.recv() or read().

 +- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
 +  HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
 +  that the script is in CGI mode.
 +
  - Issue #23804: Fix SSL recv(0) and read(0) methods to return zero bytes
    instead of up to 1024.

 --
 2.8.1
	From cb25fbd5abc0f4eb07dbb8ea819e9c26bda4fc99 Mon Sep 17 00:00:00 2001
	From: Senthil Kumaran <senthil@uthcode.com>
	Date: Sat, 30 Jul 2016 05:49:53 -0700
	Subject: [PATCH] python: fix CVE-2016-1000110
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	Prevent HTTPoxy attack (CVE-2016-1000110)

	Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
	indicates that the script is in CGI mode.

	Issue reported and patch contributed by Rémi Rampin.

	Backport patch from https://hg.python.org/cpython/rev/ba915d561667/

	Upstream-Status: Backport
	CVE: CVE-2016-1000110
	Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
	---
	Doc/howto/urllib2.rst \| 5 +++++
	Doc/library/urllib.rst \| 10 ++++++++++
	Doc/library/urllib2.rst \| 5 +++++
	Lib/test/test_urllib.py \| 12 ++++++++++++
	Lib/urllib.py \| 9 +++++++++
	Misc/ACKS \| 1 +
	Misc/NEWS \| 4 ++++
	7 files changed, 46 insertions(+)

	diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
	index 6bb06d4..5cf2c0c 100644
	--- a/Doc/howto/urllib2.rst
	+++ b/Doc/howto/urllib2.rst
	@@ -525,6 +525,11 @@ setting up a `Basic Authentication`_ handler: ::
	through a proxy. However, this can be enabled by extending urllib2 as
	shown in the recipe [#]_.

	+.. note::
	+
	+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
	+ the documentation on :func:`~urllib.getproxies`.
	+

	Sockets and Layers
	==================
	diff --git a/Doc/library/urllib.rst b/Doc/library/urllib.rst
	index 3b5dc16..bddcba9 100644
	--- a/Doc/library/urllib.rst
	+++ b/Doc/library/urllib.rst
	@@ -295,6 +295,16 @@ Utility functions
	If both lowercase and uppercase environment variables exist (and disagree),
	lowercase is preferred.

	+ .. note::
	+
	+ If the environment variable ``REQUEST_METHOD`` is set, which usually
	+ indicates your script is running in a CGI environment, the environment
	+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
	+ because that variable can be injected by a client using the "Proxy:"
	+ HTTP header. If you need to use an HTTP proxy in a CGI environment,
	+ either use ``ProxyHandler`` explicitly, or make sure the variable name
	+ is in lowercase (or at least the ``_proxy`` suffix).
	+
	.. note::
	urllib also exposes certain utility functions like splittype, splithost and
	others parsing URL into various components. But it is recommended to use
	diff --git a/Doc/library/urllib2.rst b/Doc/library/urllib2.rst
	index 8a4c80e..b808b98 100644
	--- a/Doc/library/urllib2.rst
	+++ b/Doc/library/urllib2.rst
	@@ -229,6 +229,11 @@ The following classes are provided:

	To disable autodetected proxy pass an empty dictionary.

	+ .. note::
	+
	+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
	+ see the documentation on :func:`~urllib.getproxies`.
	+

	.. class:: HTTPPasswordMgr()

	diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
	index 434d533..27a1d38 100644
	--- a/Lib/test/test_urllib.py
	+++ b/Lib/test/test_urllib.py
	@@ -170,6 +170,18 @@ class ProxyTests(unittest.TestCase):
	self.assertTrue(urllib.proxy_bypass_environment('anotherdomain.com:8888'))
	self.assertTrue(urllib.proxy_bypass_environment('newdomain.com:1234'))

	+ def test_proxy_cgi_ignore(self):
	+ try:
	+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
	+ proxies = urllib.getproxies_environment()
	+ self.assertEqual('http://somewhere:3128', proxies['http'])
	+ self.env.set('REQUEST_METHOD', 'GET')
	+ proxies = urllib.getproxies_environment()
	+ self.assertNotIn('http', proxies)
	+ finally:
	+ self.env.unset('REQUEST_METHOD')
	+ self.env.unset('HTTP_PROXY')
	+
	def test_proxy_bypass_environment_host_match(self):
	bypass = urllib.proxy_bypass_environment
	self.env.set('NO_PROXY',
	diff --git a/Lib/urllib.py b/Lib/urllib.py
	index 139fab9..c3ba2c9 100644
	--- a/Lib/urllib.py
	+++ b/Lib/urllib.py
	@@ -1380,12 +1380,21 @@ def getproxies_environment():
	If you need a different way, you can pass a proxies dictionary to the
	[Fancy]URLopener constructor.
	"""
	+ # Get all variables
	proxies = {}
	for name, value in os.environ.items():
	name = name.lower()
	if value and name[-6:] == '_proxy':
	proxies[name[:-6]] = value

	+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
	+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
	+ # header from the client
	+ # If "proxy" is lowercase, it will still be used thanks to the next block
	+ if 'REQUEST_METHOD' in os.environ:
	+ proxies.pop('http', None)
	+
	+ # Get lowercase variables
	for name, value in os.environ.items():
	if name[-6:] == '_proxy':
	name = name.lower()
	diff --git a/Misc/ACKS b/Misc/ACKS
	index ee3a465..9c374b7 100644
	--- a/Misc/ACKS
	+++ b/Misc/ACKS
	@@ -1121,6 +1121,7 @@ Burton Radons
	Jeff Ramnani
	Varpu Rantala
	Brodie Rao
	+Rémi Rampin
	Senko Rasic
	Antti Rasinen
	Nikolaus Rath
	diff --git a/Misc/NEWS b/Misc/NEWS
	index 4ab3a70..cc2f65b 100644
	--- a/Misc/NEWS
	+++ b/Misc/NEWS
	@@ -187,6 +187,10 @@ Library
	- Issue #26644: Raise ValueError rather than SystemError when a negative
	length is passed to SSLSocket.recv() or read().

	+- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
	+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
	+ that the script is in CGI mode.
	+
	- Issue #23804: Fix SSL recv(0) and read(0) methods to return zero bytes
	instead of up to 1024.

	--
	2.8.1