aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHaiqing Bai <Haiqing.Bai@windriver.com>2020-03-13 18:19:23 +0800
committerArmin Kuster <akuster808@gmail.com>2020-03-21 19:46:18 -0700
commit6d38a12f165445a7b47f784d705ab6692c93a6b0 (patch)
treeb154d81dd7c959b2c4a74e106654fd65d7d5f207
parent9aea795890af4de0b8e6587f1f2778109446736d (diff)
downloadmeta-openembedded-contrib-6d38a12f165445a7b47f784d705ab6692c93a6b0.tar.gz
meta-openembedded-contrib-6d38a12f165445a7b47f784d705ab6692c93a6b0.tar.bz2
meta-openembedded-contrib-6d38a12f165445a7b47f784d705ab6692c93a6b0.zip
python-urllib3/python3-urllib3: fix CVE-2020-7212
Optimize _encode_invalid_chars for a denial of service (CPU consumption) Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch54
-rw-r--r--meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb2
-rw-r--r--meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch54
-rw-r--r--meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb2
4 files changed, 112 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch b/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch
new file mode 100644
index 0000000000..a2bb0fb5be
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch
@@ -0,0 +1,54 @@
+From aff951b7a41eb5b958b32c49eaa00da02adc9c2d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Tue, 21 Jan 2020 22:32:56 +0400
+Subject: [PATCH] Optimize _encode_invalid_chars (#1787)
+
+Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
+
+Upstream-Status: Backport
+[from git://github.com/urllib3/urllib3.git commit:a2697e7c6b]
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/urllib3/util/url.py | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
+index 9675f74..e353937 100644
+--- a/src/urllib3/util/url.py
++++ b/src/urllib3/util/url.py
+@@ -216,18 +216,15 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
+
+ component = six.ensure_text(component)
+
++ # Normalize existing percent-encoded bytes.
+ # Try to see if the component we're encoding is already percent-encoded
+ # so we can skip all '%' characters but still encode all others.
+- percent_encodings = PERCENT_RE.findall(component)
+-
+- # Normalize existing percent-encoded bytes.
+- for enc in percent_encodings:
+- if not enc.isupper():
+- component = component.replace(enc, enc.upper())
++ component, percent_encodings = PERCENT_RE.subn(
++ lambda match: match.group(0).upper(), component
++ )
+
+ uri_bytes = component.encode("utf-8", "surrogatepass")
+- is_percent_encoded = len(percent_encodings) == uri_bytes.count(b"%")
+-
++ is_percent_encoded = percent_encodings == uri_bytes.count(b"%")
+ encoded_component = bytearray()
+
+ for i in range(0, len(uri_bytes)):
+@@ -237,7 +234,7 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
+ if (is_percent_encoded and byte == b"%") or (
+ byte_ord < 128 and byte.decode() in allowed_chars
+ ):
+- encoded_component.extend(byte)
++ encoded_component += byte
+ continue
+ encoded_component.extend(b"%" + (hex(byte_ord)[2:].encode().zfill(2).upper()))
+
+--
+2.23.0
+
diff --git a/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb b/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb
index 6c81f1db9b..9f2d2c8496 100644
--- a/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb
+++ b/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb
@@ -1,2 +1,4 @@
inherit pypi setuptools
require python-urllib3.inc
+
+SRC_URI += "file://CVE-2020-7212.patch"
diff --git a/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch
new file mode 100644
index 0000000000..a2bb0fb5be
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch
@@ -0,0 +1,54 @@
+From aff951b7a41eb5b958b32c49eaa00da02adc9c2d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Tue, 21 Jan 2020 22:32:56 +0400
+Subject: [PATCH] Optimize _encode_invalid_chars (#1787)
+
+Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
+
+Upstream-Status: Backport
+[from git://github.com/urllib3/urllib3.git commit:a2697e7c6b]
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/urllib3/util/url.py | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
+index 9675f74..e353937 100644
+--- a/src/urllib3/util/url.py
++++ b/src/urllib3/util/url.py
+@@ -216,18 +216,15 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
+
+ component = six.ensure_text(component)
+
++ # Normalize existing percent-encoded bytes.
+ # Try to see if the component we're encoding is already percent-encoded
+ # so we can skip all '%' characters but still encode all others.
+- percent_encodings = PERCENT_RE.findall(component)
+-
+- # Normalize existing percent-encoded bytes.
+- for enc in percent_encodings:
+- if not enc.isupper():
+- component = component.replace(enc, enc.upper())
++ component, percent_encodings = PERCENT_RE.subn(
++ lambda match: match.group(0).upper(), component
++ )
+
+ uri_bytes = component.encode("utf-8", "surrogatepass")
+- is_percent_encoded = len(percent_encodings) == uri_bytes.count(b"%")
+-
++ is_percent_encoded = percent_encodings == uri_bytes.count(b"%")
+ encoded_component = bytearray()
+
+ for i in range(0, len(uri_bytes)):
+@@ -237,7 +234,7 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
+ if (is_percent_encoded and byte == b"%") or (
+ byte_ord < 128 and byte.decode() in allowed_chars
+ ):
+- encoded_component.extend(byte)
++ encoded_component += byte
+ continue
+ encoded_component.extend(b"%" + (hex(byte_ord)[2:].encode().zfill(2).upper()))
+
+--
+2.23.0
+
diff --git a/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb b/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb
index 19eb7025b2..e3583a057d 100644
--- a/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb
+++ b/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb
@@ -1,2 +1,4 @@
inherit pypi setuptools3
require python-urllib3.inc
+
+SRC_URI += "file://CVE-2020-7212.patch"