diff options
| author | Maxim Cournoyer <maxim.cournoyer@gmail.com> | 2021-01-13 23:39:52 -0500 |
|---|---|---|
| committer | Maxim Cournoyer <maxim.cournoyer@gmail.com> | 2021-01-13 23:45:53 -0500 |
| commit | 01f0707207741ce2a5d7509a175464799b08aea6 (patch) | |
| tree | 08e8f4da56f26363c3b53e0442a21b286b55e0e5 /gnu/packages/patches/python-CVE-2020-26116.patch | |
| parent | 734bcf13139119daf8685f93b056c3422dbfa264 (diff) | |
| parent | 6985a1acb3e9cc4cad8b6f63d77154842d25c929 (diff) | |
| download | guix-patches-01f0707207741ce2a5d7509a175464799b08aea6.tar guix-patches-01f0707207741ce2a5d7509a175464799b08aea6.tar.gz | |
Merge branch 'staging' into 'core-updates'.
Conflicts:
gnu/local.mk
gnu/packages/cmake.scm
gnu/packages/curl.scm
gnu/packages/gl.scm
gnu/packages/glib.scm
gnu/packages/guile.scm
gnu/packages/node.scm
gnu/packages/openldap.scm
gnu/packages/package-management.scm
gnu/packages/python-xyz.scm
gnu/packages/python.scm
gnu/packages/tls.scm
gnu/packages/vpn.scm
gnu/packages/xorg.scm
Diffstat (limited to 'gnu/packages/patches/python-CVE-2020-26116.patch')
| -rw-r--r-- | gnu/packages/patches/python-CVE-2020-26116.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/gnu/packages/patches/python-CVE-2020-26116.patch b/gnu/packages/patches/python-CVE-2020-26116.patch new file mode 100644 index 0000000000..dc0571e964 --- /dev/null +++ b/gnu/packages/patches/python-CVE-2020-26116.patch @@ -0,0 +1,47 @@ +Fix CVE-2020-26116: + +https://cve.circl.lu/cve/CVE-2020-26116 +https://bugs.python.org/issue39603 + +Taken from upstream (sans test and NEWS update): +https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf + +diff --git a/Lib/http/client.py b/Lib/http/client.py +--- a/Lib/http/client.py ++++ b/Lib/http/client.py +@@ -147,6 +147,10 @@ + # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") + # We are more lenient for assumed real world compatibility purposes. + ++# These characters are not allowed within HTTP method names ++# to prevent http header injection. ++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') ++ + # We always set the Content-Length header for these methods because some + # servers will otherwise respond with a 411 + _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} +@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False, + else: + raise CannotSendRequest(self.__state) + ++ self._validate_method(method) ++ + # Save the method for use later in the response phase + self._method = method + +@@ -1177,6 +1183,15 @@ def _encode_request(self, request): + # ASCII also helps prevent CVE-2019-9740. + return request.encode('ascii') + ++ def _validate_method(self, method): ++ """Validate a method name for putrequest.""" ++ # prevent http header injection ++ match = _contains_disallowed_method_pchar_re.search(method) ++ if match: ++ raise ValueError( ++ f"method can't contain control characters. {method!r} " ++ f"(found at least {match.group()!r})") ++ + def _validate_path(self, url): + """Validate a url for putrequest.""" + # Prevent CVE-2019-9740. |