diff options
Diffstat (limited to 'gnu/packages/patches/python-CVE-2020-26116.patch')
| -rw-r--r-- | gnu/packages/patches/python-CVE-2020-26116.patch | 47 |
1 files changed, 0 insertions, 47 deletions
diff --git a/gnu/packages/patches/python-CVE-2020-26116.patch b/gnu/packages/patches/python-CVE-2020-26116.patch deleted file mode 100644 index dc0571e964..0000000000 --- a/gnu/packages/patches/python-CVE-2020-26116.patch +++ /dev/null @@ -1,47 +0,0 @@ -Fix CVE-2020-26116: - -https://cve.circl.lu/cve/CVE-2020-26116 -https://bugs.python.org/issue39603 - -Taken from upstream (sans test and NEWS update): -https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf - -diff --git a/Lib/http/client.py b/Lib/http/client.py ---- a/Lib/http/client.py -+++ b/Lib/http/client.py -@@ -147,6 +147,10 @@ - # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") - # We are more lenient for assumed real world compatibility purposes. - -+# These characters are not allowed within HTTP method names -+# to prevent http header injection. -+_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') -+ - # We always set the Content-Length header for these methods because some - # servers will otherwise respond with a 411 - _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} -@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False, - else: - raise CannotSendRequest(self.__state) - -+ self._validate_method(method) -+ - # Save the method for use later in the response phase - self._method = method - -@@ -1177,6 +1183,15 @@ def _encode_request(self, request): - # ASCII also helps prevent CVE-2019-9740. - return request.encode('ascii') - -+ def _validate_method(self, method): -+ """Validate a method name for putrequest.""" -+ # prevent http header injection -+ match = _contains_disallowed_method_pchar_re.search(method) -+ if match: -+ raise ValueError( -+ f"method can't contain control characters. {method!r} " -+ f"(found at least {match.group()!r})") -+ - def _validate_path(self, url): - """Validate a url for putrequest.""" - # Prevent CVE-2019-9740. |