diff --git a/SOURCES/00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch b/SOURCES/00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch new file mode 100644 index 0000000..239c9cb --- /dev/null +++ b/SOURCES/00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch @@ -0,0 +1,88 @@ +diff --git a/Lib/httplib.py b/Lib/httplib.py +index fcc4152..a636774 100644 +--- a/Lib/httplib.py ++++ b/Lib/httplib.py +@@ -257,6 +257,10 @@ _contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f-\xff]') + # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") + # We are more lenient for assumed real world compatibility purposes. + ++# These characters are not allowed within HTTP method names ++# to prevent http header injection. ++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') ++ + # We always set the Content-Length header for these methods because some + # servers will otherwise respond with a 411 + _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} +@@ -935,6 +939,8 @@ class HTTPConnection: + else: + raise CannotSendRequest() + ++ self._validate_method(method) ++ + # Save the method for use later in the response phase + self._method = method + +@@ -1020,6 +1026,16 @@ class HTTPConnection: + # On Python 2, request is already encoded (default) + return request + ++ def _validate_method(self, method): ++ """Validate a method name for putrequest.""" ++ # prevent http header injection ++ match = _contains_disallowed_method_pchar_re.search(method) ++ if match: ++ raise ValueError( ++ "method can't contain control characters. %r " ++ "(found at least %r)" ++ % (method, match.group())) ++ + def _validate_path(self, url): + """Validate a url for putrequest.""" + # Prevent CVE-2019-9740. +diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py +index d8a57f7..96a61dd 100644 +--- a/Lib/test/test_httplib.py ++++ b/Lib/test/test_httplib.py +@@ -385,6 +385,29 @@ class HeaderTests(TestCase): + conn.putheader(name, value) + + ++class HttpMethodTests(TestCase): ++ def test_invalid_method_names(self): ++ methods = ( ++ 'GET\r', ++ 'POST\n', ++ 'PUT\n\r', ++ 'POST\nValue', ++ 'POST\nHOST:abc', ++ 'GET\nrHost:abc\n', ++ 'POST\rRemainder:\r', ++ 'GET\rHOST:\n', ++ '\nPUT' ++ ) ++ ++ for method in methods: ++ with self.assertRaisesRegexp( ++ ValueError, "method can't contain control characters"): ++ conn = httplib.HTTPConnection('example.com') ++ conn.sock = FakeSocket(None) ++ conn.request(method=method, url="/") ++ ++ ++ + class BasicTest(TestCase): + def test_status_lines(self): + # Test HTTP status lines +@@ -1009,9 +1032,9 @@ class TunnelTests(TestCase): + + @test_support.reap_threads + def test_main(verbose=None): +- test_support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest, +- HTTPTest, HTTPSTest, SourceAddressTest, +- TunnelTests) ++ test_support.run_unittest(HeaderTests, OfflineTest, HttpMethodTests, ++ BasicTest, TimeoutTest, HTTPTest, HTTPSTest, ++ SourceAddressTest, TunnelTests) + + if __name__ == '__main__': + test_main() diff --git a/SPECS/python2.spec b/SPECS/python2.spec index 34527ab..09ff21a 100644 --- a/SPECS/python2.spec +++ b/SPECS/python2.spec @@ -104,7 +104,7 @@ Summary: An interpreted, interactive, object-oriented programming language Name: %{python} # Remember to also rebase python2-docs when changing this: Version: 2.7.18 -Release: 1%{?dist} +Release: 2%{?dist} License: Python Group: Development/Languages Requires: %{python}-libs%{?_isa} = %{version}-%{release} @@ -702,6 +702,14 @@ Patch289: 00289-disable-nis-detection.patch # See: https://bugs.python.org/issue39017 Patch351: 00351-cve-2019-20907-fix-infinite-loop-in-tarfile.patch +# 00354 # +# Reject control chars in HTTP method in httplib.putrequest to prevent +# HTTP header injection +# +# Backported from Python 3.5-3.10 (and adjusted for py2's single-module httplib): +# - https://bugs.python.org/issue39603 +Patch354: 00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch + # (New patches go here ^^^) # # When adding new patches to "python2" and "python3" in Fedora, EL, etc., @@ -1016,6 +1024,8 @@ rm Lib/ensurepip/_bundled/*.whl # Patch 351 adds binary file for testing. We need to apply it using Git. git apply %{PATCH351} +%patch354 -p1 + # This shouldn't be necesarry, but is right now (2.2a3) find -name "*~" |xargs rm -f @@ -1953,6 +1963,10 @@ fi # ====================================================== %changelog +* Fri Oct 09 2020 Charalampos Stratakis - 2.7.18-2 +- Security fix for CVE-2020-26116: Reject control chars in HTTP method in httplib.putrequest +Resolves: rhbz#1883258 + * Fri Oct 09 2020 Charalampos Stratakis - 2.7.18-1 - Update to 2.7.18 Resolves: rhbz#1886754