pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/lang/python27
Module Name: pkgsrc
Committed By: gutteridge
Date: Mon May 29 23:33:48 UTC 2023
Modified Files:
pkgsrc/lang/python27: Makefile distinfo
pkgsrc/lang/python27/patches: patch-Lib_test_test__urlparse.py
patch-Lib_urlparse.py
Log Message:
python27: add backported security fix for CVE-2023-24329
To generate a diff of this commit:
cvs rdiff -u -r1.105 -r1.106 pkgsrc/lang/python27/Makefile
cvs rdiff -u -r1.92 -r1.93 pkgsrc/lang/python27/distinfo
cvs rdiff -u -r1.2 -r1.3 \
pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py
cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/python27/patches/patch-Lib_urlparse.py
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/lang/python27/Makefile
diff -u pkgsrc/lang/python27/Makefile:1.105 pkgsrc/lang/python27/Makefile:1.106
--- pkgsrc/lang/python27/Makefile:1.105 Sun Jan 8 00:54:29 2023
+++ pkgsrc/lang/python27/Makefile Mon May 29 23:33:48 2023
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.105 2023/01/08 00:54:29 gutteridge Exp $
+# $NetBSD: Makefile,v 1.106 2023/05/29 23:33:48 gutteridge Exp $
.include "dist.mk"
PKGNAME= python27-${PY_DISTVERSION}
-PKGREVISION= 10
+PKGREVISION= 11
CATEGORIES= lang python
MAINTAINER= pkgsrc-users%NetBSD.org@localhost
Index: pkgsrc/lang/python27/distinfo
diff -u pkgsrc/lang/python27/distinfo:1.92 pkgsrc/lang/python27/distinfo:1.93
--- pkgsrc/lang/python27/distinfo:1.92 Sun Jan 8 00:54:29 2023
+++ pkgsrc/lang/python27/distinfo Mon May 29 23:33:48 2023
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.92 2023/01/08 00:54:29 gutteridge Exp $
+$NetBSD: distinfo,v 1.93 2023/05/29 23:33:48 gutteridge Exp $
BLAKE2s (Python-2.7.18.tar.xz) = 1b673ec8c9362a178e044691392bc4f67ad13457d7fddd84a88de346f23f9812
SHA512 (Python-2.7.18.tar.xz) = a7bb62b51f48ff0b6df0b18f5b0312a523e3110f49c3237936bfe56ed0e26838c0274ff5401bda6fc21bf24337477ccac49e8026c5d651e4b4cafb5eb5086f6c
@@ -39,9 +39,9 @@ SHA1 (patch-Lib_test_test__mailcap.py) =
SHA1 (patch-Lib_test_test__platform.py) = 3a3b8c05f9bf9adf4862b1022ce864127d36b8b0
SHA1 (patch-Lib_test_test__unicode.py) = 1bd182bdbd880d0a847f9d8b69277a607f9f0526
SHA1 (patch-Lib_test_test__urllib2.py) = 89baa57daf2f3282e4fc5009915dbc4910b96ef1
-SHA1 (patch-Lib_test_test__urlparse.py) = d98df667a34eebb994fe1d54a1decb8359df897e
+SHA1 (patch-Lib_test_test__urlparse.py) = d656a6b3fd672633182a2cfd32b2495eac382f3c
SHA1 (patch-Lib_urllib2.py) = 0cc0dc811bb9544496962e08b040b5c96fb9073c
-SHA1 (patch-Lib_urlparse.py) = 1f102bb85acd99a8be976f9d5b0fdb1a7abf5725
+SHA1 (patch-Lib_urlparse.py) = 09c355c7df32a0f705f246aa81538ab7770c55e2
SHA1 (patch-Mac_Tools_pythonw.c) = 2b9a60d4b349c240471fd305be69c28e0f654cdc
SHA1 (patch-Makefile.pre.in) = ceaf34237588b527478ce1f9163c9168382fa201
SHA1 (patch-Modules___ctypes_callbacks.c) = 8c335edfc9d2ef47988c5bdf1c3dd8473757637b
Index: pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py
diff -u pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py:1.2 pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py:1.3
--- pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py:1.2 Fri Feb 25 22:41:32 2022
+++ pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py Mon May 29 23:33:48 2023
@@ -1,4 +1,4 @@
-$NetBSD: patch-Lib_test_test__urlparse.py,v 1.2 2022/02/25 22:41:32 gutteridge Exp $
+$NetBSD: patch-Lib_test_test__urlparse.py,v 1.3 2023/05/29 23:33:48 gutteridge Exp $
Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
Via Fedora:
@@ -8,6 +8,10 @@ Fix CVE-2022-0391: urlparse does not san
Via Fedora:
https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00377-CVE-2022-0391.patch
+Fix CVE-2023-24329: Add more sanitizing to respect the "Remove any leading C0 control or space from input" rule
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/c/3f00cdccd59ef2955a7f4b4c42bb59c631cce4c1.patch
+
--- Lib/test/test_urlparse.py.orig 2020-04-19 21:13:39.000000000 +0000
+++ Lib/test/test_urlparse.py
@@ -3,6 +3,12 @@ import sys
@@ -134,7 +138,7 @@ https://src.fedoraproject.org/rpms/pytho
def test_roundtrips(self):
testcases = [
('file:///tmp/junk.txt',
-@@ -544,6 +618,55 @@ class UrlParseTestCase(unittest.TestCase
+@@ -544,6 +618,112 @@ class UrlParseTestCase(unittest.TestCase
self.assertEqual(p1.path, '863-1234')
self.assertEqual(p1.params, 'phone-context=+1-914-555')
@@ -186,11 +190,68 @@ https://src.fedoraproject.org/rpms/pytho
+ self.assertEqual(p.scheme, "https")
+ self.assertEqual(p.geturl(), "https://www.python.org/javascript:alert('msg')/?query=something#fragment")
+
++ def test_urlsplit_strip_url(self):
++ noise = "".join([chr(i) for i in range(0, 0x20 + 1)])
++ base_url = "http://User:Pass%www.python.org@localhost:080/doc/?query=yes#frag"
+
++ url = noise.decode("utf-8") + base_url
++ p = urlparse.urlsplit(url)
++ self.assertEqual(p.scheme, "http")
++ self.assertEqual(p.netloc, "User:Pass%www.python.org@localhost:080")
++ self.assertEqual(p.path, "/doc/")
++ self.assertEqual(p.query, "query=yes")
++ self.assertEqual(p.fragment, "frag")
++ self.assertEqual(p.username, "User")
++ self.assertEqual(p.password, "Pass")
++ self.assertEqual(p.hostname, "www.python.org")
++ self.assertEqual(p.port, 80)
++ self.assertEqual(p.geturl(), base_url)
++
++ url = noise + base_url.encode("utf-8")
++ p = urlparse.urlsplit(url)
++ self.assertEqual(p.scheme, b"http")
++ self.assertEqual(p.netloc, b"User:Pass%www.python.org@localhost:080")
++ self.assertEqual(p.path, b"/doc/")
++ self.assertEqual(p.query, b"query=yes")
++ self.assertEqual(p.fragment, b"frag")
++ self.assertEqual(p.username, b"User")
++ self.assertEqual(p.password, b"Pass")
++ self.assertEqual(p.hostname, b"www.python.org")
++ self.assertEqual(p.port, 80)
++ self.assertEqual(p.geturl(), base_url.encode("utf-8"))
++
++ # Test that trailing space is preserved as some applications rely on
++ # this within query strings.
++ query_spaces_url = "https://www.python.org:88/doc/?query= "
++ p = urlparse.urlsplit(noise.decode("utf-8") + query_spaces_url)
++ self.assertEqual(p.scheme, "https")
++ self.assertEqual(p.netloc, "www.python.org:88")
++ self.assertEqual(p.path, "/doc/")
++ self.assertEqual(p.query, "query= ")
++ self.assertEqual(p.port, 88)
++ self.assertEqual(p.geturl(), query_spaces_url)
++
++ p = urlparse.urlsplit("www.pypi.org ")
++ # That "hostname" gets considered a "path" due to the
++ # trailing space and our existing logic... YUCK...
++ # and re-assembles via geturl aka unurlsplit into the original.
++ # django.core.validators.URLValidator (at least through v3.2) relies on
++ # this, for better or worse, to catch it in a ValidationError via its
++ # regular expressions.
++ # Here we test the basic round trip concept of such a trailing space.
++ self.assertEqual(urlparse.urlunsplit(p), "www.pypi.org ")
++
++ # with scheme as cache-key
++ url = "//www.python.org/"
++ scheme = noise.decode("utf-8") + "https" + noise.decode("utf-8")
++ for _ in range(2):
++ p = urlparse.urlsplit(url, scheme=scheme)
++ self.assertEqual(p.scheme, "https")
++ self.assertEqual(p.geturl(), "https://www.python.org/")
def test_attributes_bad_port(self):
"""Check handling of non-integer ports."""
-@@ -626,6 +749,132 @@ class UrlParseTestCase(unittest.TestCase
+@@ -626,6 +806,132 @@ class UrlParseTestCase(unittest.TestCase
self.assertEqual(urlparse.urlparse("http://www.python.org:80"),
('http','www.python.org:80','','','',''))
Index: pkgsrc/lang/python27/patches/patch-Lib_urlparse.py
diff -u pkgsrc/lang/python27/patches/patch-Lib_urlparse.py:1.3 pkgsrc/lang/python27/patches/patch-Lib_urlparse.py:1.4
--- pkgsrc/lang/python27/patches/patch-Lib_urlparse.py:1.3 Fri Feb 25 22:41:32 2022
+++ pkgsrc/lang/python27/patches/patch-Lib_urlparse.py Mon May 29 23:33:48 2023
@@ -1,4 +1,4 @@
-$NetBSD: patch-Lib_urlparse.py,v 1.3 2022/02/25 22:41:32 gutteridge Exp $
+$NetBSD: patch-Lib_urlparse.py,v 1.4 2023/05/29 23:33:48 gutteridge Exp $
Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
Via Fedora:
@@ -8,9 +8,20 @@ Fix CVE-2022-0391: urlparse does not san
Via Fedora:
https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00377-CVE-2022-0391.patch
+Fix CVE-2023-24329: Add more sanitizing to respect the "Remove any leading C0 control or space from input" rule
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/c/3f00cdccd59ef2955a7f4b4c42bb59c631cce4c1.patch
+
--- Lib/urlparse.py.orig 2020-04-19 21:13:39.000000000 +0000
+++ Lib/urlparse.py
-@@ -29,6 +29,7 @@ test_urlparse.py provides a good indicat
+@@ -26,9 +26,14 @@ scenarios for parsing, and for backward
+ parsing quirks from older RFCs are retained. The testcases in
+ test_urlparse.py provides a good indicator of parsing behavior.
+
++The WHATWG URL Parser spec should also be considered. We are not compliant with
++it either due to existing user code API behavior expectations (Hyrum's Law).
++It serves as a useful guide when making changes.
++
"""
import re
@@ -18,17 +29,21 @@ https://src.fedoraproject.org/rpms/pytho
__all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag",
"urlsplit", "urlunsplit", "parse_qs", "parse_qsl"]
-@@ -62,6 +63,9 @@ scheme_chars = ('abcdefghijklmnopqrstuvw
+@@ -62,6 +67,13 @@ scheme_chars = ('abcdefghijklmnopqrstuvw
'0123456789'
'+-.')
++# Leading and trailing C0 control and space to be stripped per WHATWG spec.
++# == "".join([chr(i) for i in range(0, 0x20 + 1)])
++_WHATWG_C0_CONTROL_OR_SPACE = '\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f '
++
+# Unsafe bytes to be removed per WHATWG spec
+_UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n']
+
MAX_CACHE_SIZE = 20
_parse_cache = {}
-@@ -184,12 +188,19 @@ def _checknetloc(netloc):
+@@ -184,12 +196,21 @@ def _checknetloc(netloc):
"under NFKC normalization"
% netloc)
@@ -45,10 +60,12 @@ https://src.fedoraproject.org/rpms/pytho
(e.g. netloc is a single string) and we don't expand % escapes."""
+ url = _remove_unsafe_bytes_from_url(url)
+ scheme = _remove_unsafe_bytes_from_url(scheme)
++ url = url.lstrip(_WHATWG_C0_CONTROL_OR_SPACE)
++ scheme = scheme.strip(_WHATWG_C0_CONTROL_OR_SPACE)
allow_fragments = bool(allow_fragments)
key = url, scheme, allow_fragments, type(url), type(scheme)
cached = _parse_cache.get(key, None)
-@@ -382,7 +393,8 @@ def unquote(s):
+@@ -382,7 +403,8 @@ def unquote(s):
append(item)
return ''.join(res)
@@ -58,7 +75,7 @@ https://src.fedoraproject.org/rpms/pytho
"""Parse a query given as a string argument.
Arguments:
-@@ -405,14 +417,23 @@ def parse_qs(qs, keep_blank_values=0, st
+@@ -405,14 +427,23 @@ def parse_qs(qs, keep_blank_values=0, st
"""
dict = {}
for name, value in parse_qsl(qs, keep_blank_values, strict_parsing,
@@ -84,7 +101,7 @@ https://src.fedoraproject.org/rpms/pytho
"""Parse a query given as a string argument.
Arguments:
-@@ -434,15 +455,72 @@ def parse_qsl(qs, keep_blank_values=0, s
+@@ -434,15 +465,72 @@ def parse_qsl(qs, keep_blank_values=0, s
Returns a list, as G-d intended.
"""
Home |
Main Index |
Thread Index |
Old Index