All of lore.kernel.org
 help / color / mirror / Atom feed
* [meta-python][zeus][PATCH] python-urllib3/python3-urllib3: fix CVE-2020-7212
@ 2020-03-13 10:19 Haiqing Bai
  2020-03-13 15:36 ` akuster808
  0 siblings, 1 reply; 3+ messages in thread
From: Haiqing Bai @ 2020-03-13 10:19 UTC (permalink / raw)
  To: openembedded-devel, haiqing.bai

Optimize _encode_invalid_chars for a denial of service (CPU consumption)

Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
---
 .../python/python-urllib3/CVE-2020-7212.patch      | 54 ++++++++++++++++++++++
 .../python/python-urllib3_1.25.6.bb                |  2 +
 .../python/python3-urllib3/CVE-2020-7212.patch     | 54 ++++++++++++++++++++++
 .../python/python3-urllib3_1.25.6.bb               |  2 +
 4 files changed, 112 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch
 create mode 100644 meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch

diff --git a/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch b/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch
new file mode 100644
index 0000000..a2bb0fb
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch
@@ -0,0 +1,54 @@
+From aff951b7a41eb5b958b32c49eaa00da02adc9c2d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Tue, 21 Jan 2020 22:32:56 +0400
+Subject: [PATCH] Optimize _encode_invalid_chars (#1787)
+
+Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
+
+Upstream-Status: Backport
+[from git://github.com/urllib3/urllib3.git commit:a2697e7c6b]
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/urllib3/util/url.py | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
+index 9675f74..e353937 100644
+--- a/src/urllib3/util/url.py
++++ b/src/urllib3/util/url.py
+@@ -216,18 +216,15 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
+ 
+     component = six.ensure_text(component)
+ 
++    # Normalize existing percent-encoded bytes.
+     # Try to see if the component we're encoding is already percent-encoded
+     # so we can skip all '%' characters but still encode all others.
+-    percent_encodings = PERCENT_RE.findall(component)
+-
+-    # Normalize existing percent-encoded bytes.
+-    for enc in percent_encodings:
+-        if not enc.isupper():
+-            component = component.replace(enc, enc.upper())
++    component, percent_encodings = PERCENT_RE.subn(
++        lambda match: match.group(0).upper(), component
++    )
+ 
+     uri_bytes = component.encode("utf-8", "surrogatepass")
+-    is_percent_encoded = len(percent_encodings) == uri_bytes.count(b"%")
+-
++    is_percent_encoded = percent_encodings == uri_bytes.count(b"%")
+     encoded_component = bytearray()
+ 
+     for i in range(0, len(uri_bytes)):
+@@ -237,7 +234,7 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
+         if (is_percent_encoded and byte == b"%") or (
+             byte_ord < 128 and byte.decode() in allowed_chars
+         ):
+-            encoded_component.extend(byte)
++            encoded_component += byte
+             continue
+         encoded_component.extend(b"%" + (hex(byte_ord)[2:].encode().zfill(2).upper()))
+ 
+-- 
+2.23.0
+
diff --git a/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb b/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb
index 6c81f1d..9f2d2c8 100644
--- a/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb
+++ b/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb
@@ -1,2 +1,4 @@
 inherit pypi setuptools
 require python-urllib3.inc
+
+SRC_URI += "file://CVE-2020-7212.patch"
diff --git a/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch
new file mode 100644
index 0000000..a2bb0fb
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch
@@ -0,0 +1,54 @@
+From aff951b7a41eb5b958b32c49eaa00da02adc9c2d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Tue, 21 Jan 2020 22:32:56 +0400
+Subject: [PATCH] Optimize _encode_invalid_chars (#1787)
+
+Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
+
+Upstream-Status: Backport
+[from git://github.com/urllib3/urllib3.git commit:a2697e7c6b]
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/urllib3/util/url.py | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
+index 9675f74..e353937 100644
+--- a/src/urllib3/util/url.py
++++ b/src/urllib3/util/url.py
+@@ -216,18 +216,15 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
+ 
+     component = six.ensure_text(component)
+ 
++    # Normalize existing percent-encoded bytes.
+     # Try to see if the component we're encoding is already percent-encoded
+     # so we can skip all '%' characters but still encode all others.
+-    percent_encodings = PERCENT_RE.findall(component)
+-
+-    # Normalize existing percent-encoded bytes.
+-    for enc in percent_encodings:
+-        if not enc.isupper():
+-            component = component.replace(enc, enc.upper())
++    component, percent_encodings = PERCENT_RE.subn(
++        lambda match: match.group(0).upper(), component
++    )
+ 
+     uri_bytes = component.encode("utf-8", "surrogatepass")
+-    is_percent_encoded = len(percent_encodings) == uri_bytes.count(b"%")
+-
++    is_percent_encoded = percent_encodings == uri_bytes.count(b"%")
+     encoded_component = bytearray()
+ 
+     for i in range(0, len(uri_bytes)):
+@@ -237,7 +234,7 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
+         if (is_percent_encoded and byte == b"%") or (
+             byte_ord < 128 and byte.decode() in allowed_chars
+         ):
+-            encoded_component.extend(byte)
++            encoded_component += byte
+             continue
+         encoded_component.extend(b"%" + (hex(byte_ord)[2:].encode().zfill(2).upper()))
+ 
+-- 
+2.23.0
+
diff --git a/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb b/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb
index 19eb702..e3583a0 100644
--- a/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb
+++ b/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb
@@ -1,2 +1,4 @@
 inherit pypi setuptools3
 require python-urllib3.inc
+
+SRC_URI += "file://CVE-2020-7212.patch"
-- 
1.9.1



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [meta-python][zeus][PATCH] python-urllib3/python3-urllib3: fix CVE-2020-7212
  2020-03-13 10:19 [meta-python][zeus][PATCH] python-urllib3/python3-urllib3: fix CVE-2020-7212 Haiqing Bai
@ 2020-03-13 15:36 ` akuster808
  2020-03-14  3:21   ` Bai, Haiqing
  0 siblings, 1 reply; 3+ messages in thread
From: akuster808 @ 2020-03-13 15:36 UTC (permalink / raw)
  To: Haiqing Bai, openembedded-devel



On 3/13/20 3:19 AM, Haiqing Bai wrote:
> Optimize _encode_invalid_chars for a denial of service (CPU consumption)

is this fix in master?


>
> Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
> ---
>  .../python/python-urllib3/CVE-2020-7212.patch      | 54 ++++++++++++++++++++++
>  .../python/python-urllib3_1.25.6.bb                |  2 +
>  .../python/python3-urllib3/CVE-2020-7212.patch     | 54 ++++++++++++++++++++++
>  .../python/python3-urllib3_1.25.6.bb               |  2 +
>  4 files changed, 112 insertions(+)
>  create mode 100644 meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch
>  create mode 100644 meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch
>
> diff --git a/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch b/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch
> new file mode 100644
> index 0000000..a2bb0fb
> --- /dev/null
> +++ b/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch
> @@ -0,0 +1,54 @@
> +From aff951b7a41eb5b958b32c49eaa00da02adc9c2d Mon Sep 17 00:00:00 2001
> +From: Quentin Pradet <quentin.pradet@gmail.com>
> +Date: Tue, 21 Jan 2020 22:32:56 +0400
> +Subject: [PATCH] Optimize _encode_invalid_chars (#1787)
> +
> +Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
> +
> +Upstream-Status: Backport
> +[from git://github.com/urllib3/urllib3.git commit:a2697e7c6b]
> +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
> +---
> + src/urllib3/util/url.py | 15 ++++++---------
> + 1 file changed, 6 insertions(+), 9 deletions(-)
> +
> +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
> +index 9675f74..e353937 100644
> +--- a/src/urllib3/util/url.py
> ++++ b/src/urllib3/util/url.py
> +@@ -216,18 +216,15 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
> + 
> +     component = six.ensure_text(component)
> + 
> ++    # Normalize existing percent-encoded bytes.
> +     # Try to see if the component we're encoding is already percent-encoded
> +     # so we can skip all '%' characters but still encode all others.
> +-    percent_encodings = PERCENT_RE.findall(component)
> +-
> +-    # Normalize existing percent-encoded bytes.
> +-    for enc in percent_encodings:
> +-        if not enc.isupper():
> +-            component = component.replace(enc, enc.upper())
> ++    component, percent_encodings = PERCENT_RE.subn(
> ++        lambda match: match.group(0).upper(), component
> ++    )
> + 
> +     uri_bytes = component.encode("utf-8", "surrogatepass")
> +-    is_percent_encoded = len(percent_encodings) == uri_bytes.count(b"%")
> +-
> ++    is_percent_encoded = percent_encodings == uri_bytes.count(b"%")
> +     encoded_component = bytearray()
> + 
> +     for i in range(0, len(uri_bytes)):
> +@@ -237,7 +234,7 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
> +         if (is_percent_encoded and byte == b"%") or (
> +             byte_ord < 128 and byte.decode() in allowed_chars
> +         ):
> +-            encoded_component.extend(byte)
> ++            encoded_component += byte
> +             continue
> +         encoded_component.extend(b"%" + (hex(byte_ord)[2:].encode().zfill(2).upper()))
> + 
> +-- 
> +2.23.0
> +
> diff --git a/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb b/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb
> index 6c81f1d..9f2d2c8 100644
> --- a/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb
> +++ b/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb
> @@ -1,2 +1,4 @@
>  inherit pypi setuptools
>  require python-urllib3.inc
> +
> +SRC_URI += "file://CVE-2020-7212.patch"
> diff --git a/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch
> new file mode 100644
> index 0000000..a2bb0fb
> --- /dev/null
> +++ b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch
> @@ -0,0 +1,54 @@
> +From aff951b7a41eb5b958b32c49eaa00da02adc9c2d Mon Sep 17 00:00:00 2001
> +From: Quentin Pradet <quentin.pradet@gmail.com>
> +Date: Tue, 21 Jan 2020 22:32:56 +0400
> +Subject: [PATCH] Optimize _encode_invalid_chars (#1787)
> +
> +Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
> +
> +Upstream-Status: Backport
> +[from git://github.com/urllib3/urllib3.git commit:a2697e7c6b]
> +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
> +---
> + src/urllib3/util/url.py | 15 ++++++---------
> + 1 file changed, 6 insertions(+), 9 deletions(-)
> +
> +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
> +index 9675f74..e353937 100644
> +--- a/src/urllib3/util/url.py
> ++++ b/src/urllib3/util/url.py
> +@@ -216,18 +216,15 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
> + 
> +     component = six.ensure_text(component)
> + 
> ++    # Normalize existing percent-encoded bytes.
> +     # Try to see if the component we're encoding is already percent-encoded
> +     # so we can skip all '%' characters but still encode all others.
> +-    percent_encodings = PERCENT_RE.findall(component)
> +-
> +-    # Normalize existing percent-encoded bytes.
> +-    for enc in percent_encodings:
> +-        if not enc.isupper():
> +-            component = component.replace(enc, enc.upper())
> ++    component, percent_encodings = PERCENT_RE.subn(
> ++        lambda match: match.group(0).upper(), component
> ++    )
> + 
> +     uri_bytes = component.encode("utf-8", "surrogatepass")
> +-    is_percent_encoded = len(percent_encodings) == uri_bytes.count(b"%")
> +-
> ++    is_percent_encoded = percent_encodings == uri_bytes.count(b"%")
> +     encoded_component = bytearray()
> + 
> +     for i in range(0, len(uri_bytes)):
> +@@ -237,7 +234,7 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
> +         if (is_percent_encoded and byte == b"%") or (
> +             byte_ord < 128 and byte.decode() in allowed_chars
> +         ):
> +-            encoded_component.extend(byte)
> ++            encoded_component += byte
> +             continue
> +         encoded_component.extend(b"%" + (hex(byte_ord)[2:].encode().zfill(2).upper()))
> + 
> +-- 
> +2.23.0
> +
> diff --git a/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb b/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb
> index 19eb702..e3583a0 100644
> --- a/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb
> +++ b/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb
> @@ -1,2 +1,4 @@
>  inherit pypi setuptools3
>  require python-urllib3.inc
> +
> +SRC_URI += "file://CVE-2020-7212.patch"



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [meta-python][zeus][PATCH] python-urllib3/python3-urllib3: fix CVE-2020-7212
  2020-03-13 15:36 ` akuster808
@ 2020-03-14  3:21   ` Bai, Haiqing
  0 siblings, 0 replies; 3+ messages in thread
From: Bai, Haiqing @ 2020-03-14  3:21 UTC (permalink / raw)
  To: akuster808, openembedded-devel

 Hello,  this rr is only for zeus branch.  Thank you so much. 

-----Original Message-----
From: akuster808 <akuster808@gmail.com> 
Sent: Friday, March 13, 2020 11:36 PM
To: Bai, Haiqing <Haiqing.Bai@windriver.com>; openembedded-devel@lists.openembedded.org
Subject: Re: [oe] [meta-python][zeus][PATCH] python-urllib3/python3-urllib3: fix CVE-2020-7212



On 3/13/20 3:19 AM, Haiqing Bai wrote:
> Optimize _encode_invalid_chars for a denial of service (CPU 
> consumption)

is this fix in master?


>
> Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
> ---
>  .../python/python-urllib3/CVE-2020-7212.patch      | 54 ++++++++++++++++++++++
>  .../python/python-urllib3_1.25.6.bb                |  2 +
>  .../python/python3-urllib3/CVE-2020-7212.patch     | 54 ++++++++++++++++++++++
>  .../python/python3-urllib3_1.25.6.bb               |  2 +
>  4 files changed, 112 insertions(+)
>  create mode 100644 
> meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch
>  create mode 100644 
> meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patc
> h
>
> diff --git 
> a/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.pat
> ch 
> b/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.pat
> ch
> new file mode 100644
> index 0000000..a2bb0fb
> --- /dev/null
> +++ b/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212
> +++ .patch
> @@ -0,0 +1,54 @@
> +From aff951b7a41eb5b958b32c49eaa00da02adc9c2d Mon Sep 17 00:00:00 
> +2001
> +From: Quentin Pradet <quentin.pradet@gmail.com>
> +Date: Tue, 21 Jan 2020 22:32:56 +0400
> +Subject: [PATCH] Optimize _encode_invalid_chars (#1787)
> +
> +Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
> +
> +Upstream-Status: Backport
> +[from git://github.com/urllib3/urllib3.git commit:a2697e7c6b]
> +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
> +---
> + src/urllib3/util/url.py | 15 ++++++---------
> + 1 file changed, 6 insertions(+), 9 deletions(-)
> +
> +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py index 
> +9675f74..e353937 100644
> +--- a/src/urllib3/util/url.py
> ++++ b/src/urllib3/util/url.py
> +@@ -216,18 +216,15 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
> + 
> +     component = six.ensure_text(component)
> + 
> ++    # Normalize existing percent-encoded bytes.
> +     # Try to see if the component we're encoding is already percent-encoded
> +     # so we can skip all '%' characters but still encode all others.
> +-    percent_encodings = PERCENT_RE.findall(component)
> +-
> +-    # Normalize existing percent-encoded bytes.
> +-    for enc in percent_encodings:
> +-        if not enc.isupper():
> +-            component = component.replace(enc, enc.upper())
> ++    component, percent_encodings = PERCENT_RE.subn(
> ++        lambda match: match.group(0).upper(), component
> ++    )
> + 
> +     uri_bytes = component.encode("utf-8", "surrogatepass")
> +-    is_percent_encoded = len(percent_encodings) == uri_bytes.count(b"%")
> +-
> ++    is_percent_encoded = percent_encodings == uri_bytes.count(b"%")
> +     encoded_component = bytearray()
> + 
> +     for i in range(0, len(uri_bytes)):
> +@@ -237,7 +234,7 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
> +         if (is_percent_encoded and byte == b"%") or (
> +             byte_ord < 128 and byte.decode() in allowed_chars
> +         ):
> +-            encoded_component.extend(byte)
> ++            encoded_component += byte
> +             continue
> +         encoded_component.extend(b"%" + 
> + (hex(byte_ord)[2:].encode().zfill(2).upper()))
> + 
> +--
> +2.23.0
> +
> diff --git 
> a/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb 
> b/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb
> index 6c81f1d..9f2d2c8 100644
> --- a/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb
> +++ b/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb
> @@ -1,2 +1,4 @@
>  inherit pypi setuptools
>  require python-urllib3.inc
> +
> +SRC_URI += "file://CVE-2020-7212.patch"
> diff --git 
> a/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.pa
> tch 
> b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.pa
> tch
> new file mode 100644
> index 0000000..a2bb0fb
> --- /dev/null
> +++ b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-721
> +++ 2.patch
> @@ -0,0 +1,54 @@
> +From aff951b7a41eb5b958b32c49eaa00da02adc9c2d Mon Sep 17 00:00:00 
> +2001
> +From: Quentin Pradet <quentin.pradet@gmail.com>
> +Date: Tue, 21 Jan 2020 22:32:56 +0400
> +Subject: [PATCH] Optimize _encode_invalid_chars (#1787)
> +
> +Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
> +
> +Upstream-Status: Backport
> +[from git://github.com/urllib3/urllib3.git commit:a2697e7c6b]
> +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
> +---
> + src/urllib3/util/url.py | 15 ++++++---------
> + 1 file changed, 6 insertions(+), 9 deletions(-)
> +
> +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py index 
> +9675f74..e353937 100644
> +--- a/src/urllib3/util/url.py
> ++++ b/src/urllib3/util/url.py
> +@@ -216,18 +216,15 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
> + 
> +     component = six.ensure_text(component)
> + 
> ++    # Normalize existing percent-encoded bytes.
> +     # Try to see if the component we're encoding is already percent-encoded
> +     # so we can skip all '%' characters but still encode all others.
> +-    percent_encodings = PERCENT_RE.findall(component)
> +-
> +-    # Normalize existing percent-encoded bytes.
> +-    for enc in percent_encodings:
> +-        if not enc.isupper():
> +-            component = component.replace(enc, enc.upper())
> ++    component, percent_encodings = PERCENT_RE.subn(
> ++        lambda match: match.group(0).upper(), component
> ++    )
> + 
> +     uri_bytes = component.encode("utf-8", "surrogatepass")
> +-    is_percent_encoded = len(percent_encodings) == uri_bytes.count(b"%")
> +-
> ++    is_percent_encoded = percent_encodings == uri_bytes.count(b"%")
> +     encoded_component = bytearray()
> + 
> +     for i in range(0, len(uri_bytes)):
> +@@ -237,7 +234,7 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
> +         if (is_percent_encoded and byte == b"%") or (
> +             byte_ord < 128 and byte.decode() in allowed_chars
> +         ):
> +-            encoded_component.extend(byte)
> ++            encoded_component += byte
> +             continue
> +         encoded_component.extend(b"%" + 
> + (hex(byte_ord)[2:].encode().zfill(2).upper()))
> + 
> +--
> +2.23.0
> +
> diff --git 
> a/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb 
> b/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb
> index 19eb702..e3583a0 100644
> --- a/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb
> +++ b/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb
> @@ -1,2 +1,4 @@
>  inherit pypi setuptools3
>  require python-urllib3.inc
> +
> +SRC_URI += "file://CVE-2020-7212.patch"


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-03-14  3:21 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-13 10:19 [meta-python][zeus][PATCH] python-urllib3/python3-urllib3: fix CVE-2020-7212 Haiqing Bai
2020-03-13 15:36 ` akuster808
2020-03-14  3:21   ` Bai, Haiqing

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.