summaryrefslogtreecommitdiff
path: root/meta
diff options
context:
space:
mode:
authorNitin A Kamble <nitin.a.kamble@intel.com>2011-07-19 15:42:48 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2011-07-22 11:50:42 +0100
commit43e7ec07065e58128819b0bb359358ce42628672 (patch)
treeafb5535655b2f8856e792d84841d92fdf67af6b7 /meta
parent482519c984a1b9da61b8b3cc97a6d28309b3192f (diff)
downloadopenembedded-core-43e7ec07065e58128819b0bb359358ce42628672.tar.gz
openembedded-core-43e7ec07065e58128819b0bb359358ce42628672.tar.bz2
openembedded-core-43e7ec07065e58128819b0bb359358ce42628672.zip
python: fix security vulnerability
This Fixes bug: [Yocto #1254] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1015 Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are now collapsed within the url properly before looking in cgi_directories. Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/python/python.inc2
-rw-r--r--meta/recipes-devtools/python/python/security_issue_2254_fix.patch184
-rw-r--r--meta/recipes-devtools/python/python_2.6.6.bb1
3 files changed, 186 insertions, 1 deletions
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 25a458ef13..a6cc91789c 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.python.org"
LICENSE = "PSF"
SECTION = "devel/python"
# bump this on every change in contrib/python/generate-manifest-2.6.py
-INC_PR = "nk2"
+INC_PR = "r2"
DEFAULT_PREFERENCE = "-26"
diff --git a/meta/recipes-devtools/python/python/security_issue_2254_fix.patch b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
new file mode 100644
index 0000000000..f0328585d5
--- /dev/null
+++ b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
@@ -0,0 +1,184 @@
+Upstream-Status: Backport
+http://svn.python.org/view?view=revision&revision=71303
+
+Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are
+ now collapsed within the url properly before looking in cgi_directories.
+Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com>
+2011/07/19
+
+Index: Python-2.6.6/Lib/CGIHTTPServer.py
+===================================================================
+--- Python-2.6.6.orig/Lib/CGIHTTPServer.py
++++ Python-2.6.6/Lib/CGIHTTPServer.py
+@@ -70,27 +70,20 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
+ return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
+
+ def is_cgi(self):
+- """Test whether self.path corresponds to a CGI script,
+- and return a boolean.
++ """Test whether self.path corresponds to a CGI script.
+
+- This function sets self.cgi_info to a tuple (dir, rest)
+- when it returns True, where dir is the directory part before
+- the CGI script name. Note that rest begins with a
+- slash if it is not empty.
+-
+- The default implementation tests whether the path
+- begins with one of the strings in the list
+- self.cgi_directories (and the next character is a '/'
+- or the end of the string).
++ Returns True and updates the cgi_info attribute to the tuple
++ (dir, rest) if self.path requires running a CGI script.
++ Returns False otherwise.
++
++ The default implementation tests whether the normalized url
++ path begins with one of the strings in self.cgi_directories
++ (and the next character is a '/' or the end of the string).
+ """
+-
+- path = self.path
+-
+- for x in self.cgi_directories:
+- i = len(x)
+- if path[:i] == x and (not path[i:] or path[i] == '/'):
+- self.cgi_info = path[:i], path[i+1:]
+- return True
++ splitpath = _url_collapse_path_split(self.path)
++ if splitpath[0] in self.cgi_directories:
++ self.cgi_info = splitpath
++ return True
+ return False
+
+ cgi_directories = ['/cgi-bin', '/htbin']
+@@ -299,6 +292,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
+ self.log_message("CGI script exited OK")
+
+
++# TODO(gregory.p.smith): Move this into an appropriate library.
++def _url_collapse_path_split(path):
++ """
++ Given a URL path, remove extra '/'s and '.' path elements and collapse
++ any '..' references.
++
++ Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
++
++ Returns: A tuple of (head, tail) where tail is everything after the final /
++ and head is everything before it. Head will always start with a '/' and,
++ if it contains anything else, never have a trailing '/'.
++
++ Raises: IndexError if too many '..' occur within the path.
++ """
++ # Similar to os.path.split(os.path.normpath(path)) but specific to URL
++ # path semantics rather than local operating system semantics.
++ path_parts = []
++ for part in path.split('/'):
++ if part == '.':
++ path_parts.append('')
++ else:
++ path_parts.append(part)
++ # Filter out blank non trailing parts before consuming the '..'.
++ path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
++ if path_parts:
++ tail_part = path_parts.pop()
++ else:
++ tail_part = ''
++ head_parts = []
++ for part in path_parts:
++ if part == '..':
++ head_parts.pop()
++ else:
++ head_parts.append(part)
++ if tail_part and tail_part == '..':
++ head_parts.pop()
++ tail_part = ''
++ return ('/' + '/'.join(head_parts), tail_part)
++
++
+ nobody = None
+
+ def nobody_uid():
+Index: Python-2.6.6/Lib/test/test_httpservers.py
+===================================================================
+--- Python-2.6.6.orig/Lib/test/test_httpservers.py
++++ Python-2.6.6/Lib/test/test_httpservers.py
+@@ -7,6 +7,7 @@ Josip Dzolonga, and Michael Otteneder fo
+ from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+ from SimpleHTTPServer import SimpleHTTPRequestHandler
+ from CGIHTTPServer import CGIHTTPRequestHandler
++import CGIHTTPServer
+
+ import os
+ import sys
+@@ -324,6 +325,45 @@ class CGIHTTPServerTestCase(BaseTestCase
+ finally:
+ BaseTestCase.tearDown(self)
+
++ def test_url_collapse_path_split(self):
++ test_vectors = {
++ '': ('/', ''),
++ '..': IndexError,
++ '/.//..': IndexError,
++ '/': ('/', ''),
++ '//': ('/', ''),
++ '/\\': ('/', '\\'),
++ '/.//': ('/', ''),
++ 'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
++ '/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
++ 'a': ('/', 'a'),
++ '/a': ('/', 'a'),
++ '//a': ('/', 'a'),
++ './a': ('/', 'a'),
++ './C:/': ('/C:', ''),
++ '/a/b': ('/a', 'b'),
++ '/a/b/': ('/a/b', ''),
++ '/a/b/c/..': ('/a/b', ''),
++ '/a/b/c/../d': ('/a/b', 'd'),
++ '/a/b/c/../d/e/../f': ('/a/b/d', 'f'),
++ '/a/b/c/../d/e/../../f': ('/a/b', 'f'),
++ '/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'),
++ '../a/b/c/../d/e/.././././..//f': IndexError,
++ '/a/b/c/../d/e/../../../f': ('/a', 'f'),
++ '/a/b/c/../d/e/../../../../f': ('/', 'f'),
++ '/a/b/c/../d/e/../../../../../f': IndexError,
++ '/a/b/c/../d/e/../../../../f/..': ('/', ''),
++ }
++ for path, expected in test_vectors.iteritems():
++ if isinstance(expected, type) and issubclass(expected, Exception):
++ self.assertRaises(expected,
++ CGIHTTPServer._url_collapse_path_split, path)
++ else:
++ actual = CGIHTTPServer._url_collapse_path_split(path)
++ self.assertEquals(expected, actual,
++ msg='path = %r\nGot: %r\nWanted: %r' % (
++ path, actual, expected))
++
+ def test_headers_and_content(self):
+ res = self.request('/cgi-bin/file1.py')
+ self.assertEquals(('Hello World\n', 'text/html', 200), \
+@@ -348,6 +388,12 @@ class CGIHTTPServerTestCase(BaseTestCase
+ self.assertEquals(('Hello World\n', 'text/html', 200), \
+ (res.read(), res.getheader('Content-type'), res.status))
+
++ def test_no_leading_slash(self):
++ # http://bugs.python.org/issue2254
++ res = self.request('cgi-bin/file1.py')
++ self.assertEquals(('Hello World\n', 'text/html', 200),
++ (res.read(), res.getheader('Content-type'), res.status))
++
+
+ def test_main(verbose=None):
+ cwd = os.getcwd()
+Index: Python-2.6.6/Misc/NEWS
+===================================================================
+--- Python-2.6.6.orig/Misc/NEWS
++++ Python-2.6.6/Misc/NEWS
+@@ -137,6 +137,9 @@ C-API
+ Library
+ -------
+
++- Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are
++ now collapsed within the url properly before looking in cgi_directories.
++
+ - Issue #8447: Make distutils.sysconfig follow symlinks in the path to
+ the interpreter executable. This fixes a failure of test_httpservers
+ on OS X.
diff --git a/meta/recipes-devtools/python/python_2.6.6.bb b/meta/recipes-devtools/python/python_2.6.6.bb
index 598fea8143..f71440a592 100644
--- a/meta/recipes-devtools/python/python_2.6.6.bb
+++ b/meta/recipes-devtools/python/python_2.6.6.bb
@@ -19,6 +19,7 @@ SRC_URI = "\
file://99-ignore-optimization-flag.patch \
${DISTRO_SRC_URI} \
file://multilib.patch \
+ file://security_issue_2254_fix.patch \
"
SRC_URI[md5sum] = "cf4e6881bb84a7ce6089e4a307f71f14"