From a4a6691629c8c7e9e08d368612a0e05db1352c0c Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jan 13 2021 16:20:48 +0000
Subject: import python2-2.7.18-2.module+el8.4.0+9193+f3daf6ef


---

diff --git a/SOURCES/00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch b/SOURCES/00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch
new file mode 100644
index 0000000..239c9cb
--- /dev/null
+++ b/SOURCES/00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch
@@ -0,0 +1,88 @@
+diff --git a/Lib/httplib.py b/Lib/httplib.py
+index fcc4152..a636774 100644
+--- a/Lib/httplib.py
++++ b/Lib/httplib.py
+@@ -257,6 +257,10 @@ _contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f-\xff]')
+ #  _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
+ # We are more lenient for assumed real world compatibility purposes.
+ 
++# These characters are not allowed within HTTP method names
++# to prevent http header injection.
++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -935,6 +939,8 @@ class HTTPConnection:
+         else:
+             raise CannotSendRequest()
+ 
++        self._validate_method(method)
++
+         # Save the method for use later in the response phase
+         self._method = method
+ 
+@@ -1020,6 +1026,16 @@ class HTTPConnection:
+         # On Python 2, request is already encoded (default)
+         return request
+ 
++    def _validate_method(self, method):
++        """Validate a method name for putrequest."""
++        # prevent http header injection
++        match = _contains_disallowed_method_pchar_re.search(method)
++        if match:
++            raise ValueError(
++                    "method can't contain control characters. %r "
++                    "(found at least %r)"
++                    % (method, match.group()))
++
+     def _validate_path(self, url):
+         """Validate a url for putrequest."""
+         # Prevent CVE-2019-9740.
+diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
+index d8a57f7..96a61dd 100644
+--- a/Lib/test/test_httplib.py
++++ b/Lib/test/test_httplib.py
+@@ -385,6 +385,29 @@ class HeaderTests(TestCase):
+                 conn.putheader(name, value)
+ 
+ 
++class HttpMethodTests(TestCase):
++    def test_invalid_method_names(self):
++        methods = (
++            'GET\r',
++            'POST\n',
++            'PUT\n\r',
++            'POST\nValue',
++            'POST\nHOST:abc',
++            'GET\nrHost:abc\n',
++            'POST\rRemainder:\r',
++            'GET\rHOST:\n',
++            '\nPUT'
++        )
++
++        for method in methods:
++            with self.assertRaisesRegexp(
++                    ValueError, "method can't contain control characters"):
++                conn = httplib.HTTPConnection('example.com')
++                conn.sock = FakeSocket(None)
++                conn.request(method=method, url="/")
++
++
++
+ class BasicTest(TestCase):
+     def test_status_lines(self):
+         # Test HTTP status lines
+@@ -1009,9 +1032,9 @@ class TunnelTests(TestCase):
+ 
+ @test_support.reap_threads
+ def test_main(verbose=None):
+-    test_support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest,
+-                              HTTPTest, HTTPSTest, SourceAddressTest,
+-                              TunnelTests)
++    test_support.run_unittest(HeaderTests, OfflineTest, HttpMethodTests,
++                              BasicTest, TimeoutTest, HTTPTest, HTTPSTest,
++                              SourceAddressTest, TunnelTests)
+ 
+ if __name__ == '__main__':
+     test_main()
diff --git a/SPECS/python2.spec b/SPECS/python2.spec
index 34527ab..09ff21a 100644
--- a/SPECS/python2.spec
+++ b/SPECS/python2.spec
@@ -104,7 +104,7 @@ Summary: An interpreted, interactive, object-oriented programming language
 Name: %{python}
 # Remember to also rebase python2-docs when changing this:
 Version: 2.7.18
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: Python
 Group: Development/Languages
 Requires: %{python}-libs%{?_isa} = %{version}-%{release}
@@ -702,6 +702,14 @@ Patch289: 00289-disable-nis-detection.patch
 # See: https://bugs.python.org/issue39017
 Patch351: 00351-cve-2019-20907-fix-infinite-loop-in-tarfile.patch
 
+# 00354 #
+# Reject control chars in HTTP method in httplib.putrequest to prevent
+# HTTP header injection
+#
+# Backported from Python 3.5-3.10 (and adjusted for py2's single-module httplib):
+# - https://bugs.python.org/issue39603
+Patch354: 00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python2" and "python3" in Fedora, EL, etc.,
@@ -1016,6 +1024,8 @@ rm Lib/ensurepip/_bundled/*.whl
 # Patch 351 adds binary file for testing. We need to apply it using Git.
 git apply %{PATCH351}
 
+%patch354 -p1
+
 # This shouldn't be necesarry, but is right now (2.2a3)
 find -name "*~" |xargs rm -f
 
@@ -1953,6 +1963,10 @@ fi
 # ======================================================
 
 %changelog
+* Fri Oct 09 2020 Charalampos Stratakis <cstratak@redhat.com> - 2.7.18-2
+- Security fix for CVE-2020-26116: Reject control chars in HTTP method in httplib.putrequest
+Resolves: rhbz#1883258
+
 * Fri Oct 09 2020 Charalampos Stratakis <cstratak@redhat.com> - 2.7.18-1
 - Update to 2.7.18
 Resolves: rhbz#1886754