diff options
Diffstat (limited to 'meta/recipes-devtools/python/python/security_issue_2254_fix.patch')
-rw-r--r-- | meta/recipes-devtools/python/python/security_issue_2254_fix.patch | 184 |
1 files changed, 0 insertions, 184 deletions
diff --git a/meta/recipes-devtools/python/python/security_issue_2254_fix.patch b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch deleted file mode 100644 index f0328585d5..0000000000 --- a/meta/recipes-devtools/python/python/security_issue_2254_fix.patch +++ /dev/null @@ -1,184 +0,0 @@ -Upstream-Status: Backport -http://svn.python.org/view?view=revision&revision=71303 - -Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are - now collapsed within the url properly before looking in cgi_directories. -Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com> -2011/07/19 - -Index: Python-2.6.6/Lib/CGIHTTPServer.py -=================================================================== ---- Python-2.6.6.orig/Lib/CGIHTTPServer.py -+++ Python-2.6.6/Lib/CGIHTTPServer.py -@@ -70,27 +70,20 @@ class CGIHTTPRequestHandler(SimpleHTTPSe - return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self) - - def is_cgi(self): -- """Test whether self.path corresponds to a CGI script, -- and return a boolean. -+ """Test whether self.path corresponds to a CGI script. - -- This function sets self.cgi_info to a tuple (dir, rest) -- when it returns True, where dir is the directory part before -- the CGI script name. Note that rest begins with a -- slash if it is not empty. -- -- The default implementation tests whether the path -- begins with one of the strings in the list -- self.cgi_directories (and the next character is a '/' -- or the end of the string). -+ Returns True and updates the cgi_info attribute to the tuple -+ (dir, rest) if self.path requires running a CGI script. -+ Returns False otherwise. -+ -+ The default implementation tests whether the normalized url -+ path begins with one of the strings in self.cgi_directories -+ (and the next character is a '/' or the end of the string). - """ -- -- path = self.path -- -- for x in self.cgi_directories: -- i = len(x) -- if path[:i] == x and (not path[i:] or path[i] == '/'): -- self.cgi_info = path[:i], path[i+1:] -- return True -+ splitpath = _url_collapse_path_split(self.path) -+ if splitpath[0] in self.cgi_directories: -+ self.cgi_info = splitpath -+ return True - return False - - cgi_directories = ['/cgi-bin', '/htbin'] -@@ -299,6 +292,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe - self.log_message("CGI script exited OK") - - -+# TODO(gregory.p.smith): Move this into an appropriate library. -+def _url_collapse_path_split(path): -+ """ -+ Given a URL path, remove extra '/'s and '.' path elements and collapse -+ any '..' references. -+ -+ Implements something akin to RFC-2396 5.2 step 6 to parse relative paths. -+ -+ Returns: A tuple of (head, tail) where tail is everything after the final / -+ and head is everything before it. Head will always start with a '/' and, -+ if it contains anything else, never have a trailing '/'. -+ -+ Raises: IndexError if too many '..' occur within the path. -+ """ -+ # Similar to os.path.split(os.path.normpath(path)) but specific to URL -+ # path semantics rather than local operating system semantics. -+ path_parts = [] -+ for part in path.split('/'): -+ if part == '.': -+ path_parts.append('') -+ else: -+ path_parts.append(part) -+ # Filter out blank non trailing parts before consuming the '..'. -+ path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:] -+ if path_parts: -+ tail_part = path_parts.pop() -+ else: -+ tail_part = '' -+ head_parts = [] -+ for part in path_parts: -+ if part == '..': -+ head_parts.pop() -+ else: -+ head_parts.append(part) -+ if tail_part and tail_part == '..': -+ head_parts.pop() -+ tail_part = '' -+ return ('/' + '/'.join(head_parts), tail_part) -+ -+ - nobody = None - - def nobody_uid(): -Index: Python-2.6.6/Lib/test/test_httpservers.py -=================================================================== ---- Python-2.6.6.orig/Lib/test/test_httpservers.py -+++ Python-2.6.6/Lib/test/test_httpservers.py -@@ -7,6 +7,7 @@ Josip Dzolonga, and Michael Otteneder fo - from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer - from SimpleHTTPServer import SimpleHTTPRequestHandler - from CGIHTTPServer import CGIHTTPRequestHandler -+import CGIHTTPServer - - import os - import sys -@@ -324,6 +325,45 @@ class CGIHTTPServerTestCase(BaseTestCase - finally: - BaseTestCase.tearDown(self) - -+ def test_url_collapse_path_split(self): -+ test_vectors = { -+ '': ('/', ''), -+ '..': IndexError, -+ '/.//..': IndexError, -+ '/': ('/', ''), -+ '//': ('/', ''), -+ '/\\': ('/', '\\'), -+ '/.//': ('/', ''), -+ 'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'), -+ '/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'), -+ 'a': ('/', 'a'), -+ '/a': ('/', 'a'), -+ '//a': ('/', 'a'), -+ './a': ('/', 'a'), -+ './C:/': ('/C:', ''), -+ '/a/b': ('/a', 'b'), -+ '/a/b/': ('/a/b', ''), -+ '/a/b/c/..': ('/a/b', ''), -+ '/a/b/c/../d': ('/a/b', 'd'), -+ '/a/b/c/../d/e/../f': ('/a/b/d', 'f'), -+ '/a/b/c/../d/e/../../f': ('/a/b', 'f'), -+ '/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'), -+ '../a/b/c/../d/e/.././././..//f': IndexError, -+ '/a/b/c/../d/e/../../../f': ('/a', 'f'), -+ '/a/b/c/../d/e/../../../../f': ('/', 'f'), -+ '/a/b/c/../d/e/../../../../../f': IndexError, -+ '/a/b/c/../d/e/../../../../f/..': ('/', ''), -+ } -+ for path, expected in test_vectors.iteritems(): -+ if isinstance(expected, type) and issubclass(expected, Exception): -+ self.assertRaises(expected, -+ CGIHTTPServer._url_collapse_path_split, path) -+ else: -+ actual = CGIHTTPServer._url_collapse_path_split(path) -+ self.assertEquals(expected, actual, -+ msg='path = %r\nGot: %r\nWanted: %r' % ( -+ path, actual, expected)) -+ - def test_headers_and_content(self): - res = self.request('/cgi-bin/file1.py') - self.assertEquals(('Hello World\n', 'text/html', 200), \ -@@ -348,6 +388,12 @@ class CGIHTTPServerTestCase(BaseTestCase - self.assertEquals(('Hello World\n', 'text/html', 200), \ - (res.read(), res.getheader('Content-type'), res.status)) - -+ def test_no_leading_slash(self): -+ # http://bugs.python.org/issue2254 -+ res = self.request('cgi-bin/file1.py') -+ self.assertEquals(('Hello World\n', 'text/html', 200), -+ (res.read(), res.getheader('Content-type'), res.status)) -+ - - def test_main(verbose=None): - cwd = os.getcwd() -Index: Python-2.6.6/Misc/NEWS -=================================================================== ---- Python-2.6.6.orig/Misc/NEWS -+++ Python-2.6.6/Misc/NEWS -@@ -137,6 +137,9 @@ C-API - Library - ------- - -+- Issue #2254: Fix CGIHTTPServer information disclosure. Relative paths are -+ now collapsed within the url properly before looking in cgi_directories. -+ - - Issue #8447: Make distutils.sysconfig follow symlinks in the path to - the interpreter executable. This fixes a failure of test_httpservers - on OS X. |