* [zeus][PATCH 1/2] python3: fix CVE-2019-16935
@ 2019-10-23 2:37 Chen Qi
2019-10-23 2:37 ` [zeus][PATCH 2/2] python: " Chen Qi
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Chen Qi @ 2019-10-23 2:37 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
....server-Escape-the-server_title-GH-1.patch | 86 +++++++++++++++++++
meta/recipes-devtools/python/python3_3.7.4.bb | 1 +
2 files changed, 87 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch
diff --git a/meta/recipes-devtools/python/python3/0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch b/meta/recipes-devtools/python/python3/0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch
new file mode 100644
index 0000000000..1a4c932070
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch
@@ -0,0 +1,86 @@
+From c25abd43e8877b4a7098f79eaacb248710731c2b Mon Sep 17 00:00:00 2001
+From: Dong-hee Na <donghee.na92@gmail.com>
+Date: Sat, 28 Sep 2019 04:59:37 +0900
+Subject: [PATCH] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
+
+Escape the server title of xmlrpc.server.DocXMLRPCServer
+when rendering the document page as HTML.
+
+CVE: CVE-2019-16935
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ Lib/test/test_docxmlrpc.py | 16 ++++++++++++++++
+ Lib/xmlrpc/server.py | 3 ++-
+ .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+
+diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
+index f077f05f5b..38215659b6 100644
+--- a/Lib/test/test_docxmlrpc.py
++++ b/Lib/test/test_docxmlrpc.py
+@@ -1,5 +1,6 @@
+ from xmlrpc.server import DocXMLRPCServer
+ import http.client
++import re
+ import sys
+ import threading
+ from test import support
+@@ -193,6 +194,21 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase):
+ b'method_annotation</strong></a>(x: bytes)</dt></dl>'),
+ response.read())
+
++ def test_server_title_escape(self):
++ # bpo-38243: Ensure that the server title and documentation
++ # are escaped for HTML.
++ self.serv.set_server_title('test_title<script>')
++ self.serv.set_server_documentation('test_documentation<script>')
++ self.assertEqual('test_title<script>', self.serv.server_title)
++ self.assertEqual('test_documentation<script>',
++ self.serv.server_documentation)
++
++ generated = self.serv.generate_html_documentation()
++ title = re.search(r'<title>(.+?)</title>', generated).group()
++ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
++ self.assertEqual('<title>Python: test_title<script></title>', title)
++ self.assertEqual('<p><tt>test_documentation<script></tt></p>', documentation)
++
+
+ if __name__ == '__main__':
+ unittest.main()
+diff --git a/Lib/xmlrpc/server.py b/Lib/xmlrpc/server.py
+index f1c467eb1b..32aba4df4c 100644
+--- a/Lib/xmlrpc/server.py
++++ b/Lib/xmlrpc/server.py
+@@ -108,6 +108,7 @@ from xmlrpc.client import Fault, dumps, loads, gzip_encode, gzip_decode
+ from http.server import BaseHTTPRequestHandler
+ from functools import partial
+ from inspect import signature
++import html
+ import http.server
+ import socketserver
+ import sys
+@@ -894,7 +895,7 @@ class XMLRPCDocGenerator:
+ methods
+ )
+
+- return documenter.page(self.server_title, documentation)
++ return documenter.page(html.escape(self.server_title), documentation)
+
+ class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
+ """XML-RPC and documentation request handler class.
+diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+new file mode 100644
+index 0000000000..98d7be1295
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+@@ -0,0 +1,3 @@
++Escape the server title of :class:`xmlrpc.server.DocXMLRPCServer`
++when rendering the document page as HTML.
++(Contributed by Dong-hee Na in :issue:`38243`.)
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/python/python3_3.7.4.bb b/meta/recipes-devtools/python/python3_3.7.4.bb
index 580f47f976..eb6e6d39c0 100644
--- a/meta/recipes-devtools/python/python3_3.7.4.bb
+++ b/meta/recipes-devtools/python/python3_3.7.4.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-Use-FLAG_REF-always-for-interned-strings.patch \
file://0001-test_locale.py-correct-the-test-output-format.patch \
file://0001-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \
+ file://0001-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch \
"
SRC_URI_append_class-native = " \
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [zeus][PATCH 2/2] python: fix CVE-2019-16935
2019-10-23 2:37 [zeus][PATCH 1/2] python3: fix CVE-2019-16935 Chen Qi
@ 2019-10-23 2:37 ` Chen Qi
2019-10-23 3:01 ` ✗ patchtest: failure for "[zeus] python3: fix CVE-2019-1..." and 1 more Patchwork
2019-10-23 10:59 ` [zeus][PATCH 1/2] python3: fix CVE-2019-16935 Ross Burton
2 siblings, 0 replies; 6+ messages in thread
From: Chen Qi @ 2019-10-23 2:37 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
...cape-the-server-title-of-DocXMLRPCSe.patch | 101 ++++++++++++++++++
meta/recipes-devtools/python/python_2.7.16.bb | 1 +
2 files changed, 102 insertions(+)
create mode 100644 meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
new file mode 100644
index 0000000000..3025cf7bc8
--- /dev/null
+++ b/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
@@ -0,0 +1,101 @@
+From b161c89c8bd66fe928192e21364678c8e9b8fcc0 Mon Sep 17 00:00:00 2001
+From: Dong-hee Na <donghee.na92@gmail.com>
+Date: Tue, 1 Oct 2019 19:58:01 +0900
+Subject: [PATCH] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer
+ (GH-16447)
+
+Escape the server title of DocXMLRPCServer.DocXMLRPCServer
+when rendering the document page as HTML.
+
+CVE: CVE-2019-16935
+
+Upstream-Status: Backport [https://github.com/python/cpython/pull/16447/commits/b41cde823d026f2adc21ef14b1c2e92b1006de06]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ Lib/DocXMLRPCServer.py | 13 +++++++++++-
+ Lib/test/test_docxmlrpc.py | 20 +++++++++++++++++++
+ .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++
+ 3 files changed, 35 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+
+diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py
+index 4064ec2e48..90b037dd35 100644
+--- a/Lib/DocXMLRPCServer.py
++++ b/Lib/DocXMLRPCServer.py
+@@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXMLRPCServer,
+ CGIXMLRPCRequestHandler,
+ resolve_dotted_attribute)
+
++
++def _html_escape_quote(s):
++ s = s.replace("&", "&") # Must be done first!
++ s = s.replace("<", "<")
++ s = s.replace(">", ">")
++ s = s.replace('"', """)
++ s = s.replace('\'', "'")
++ return s
++
++
+ class ServerHTMLDoc(pydoc.HTMLDoc):
+ """Class used to generate pydoc HTML document for a server"""
+
+@@ -210,7 +220,8 @@ class XMLRPCDocGenerator:
+ methods
+ )
+
+- return documenter.page(self.server_title, documentation)
++ title = _html_escape_quote(self.server_title)
++ return documenter.page(title, documentation)
+
+ class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
+ """XML-RPC and documentation request handler class.
+diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
+index 4dff4159e2..c45b892b8b 100644
+--- a/Lib/test/test_docxmlrpc.py
++++ b/Lib/test/test_docxmlrpc.py
+@@ -1,5 +1,6 @@
+ from DocXMLRPCServer import DocXMLRPCServer
+ import httplib
++import re
+ import sys
+ from test import test_support
+ threading = test_support.import_module('threading')
+@@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase):
+ self.assertIn("""Try self.<strong>add</strong>, too.""",
+ response.read())
+
++ def test_server_title_escape(self):
++ """Test that the server title and documentation
++ are escaped for HTML.
++ """
++ self.serv.set_server_title('test_title<script>')
++ self.serv.set_server_documentation('test_documentation<script>')
++ self.assertEqual('test_title<script>', self.serv.server_title)
++ self.assertEqual('test_documentation<script>',
++ self.serv.server_documentation)
++
++ generated = self.serv.generate_html_documentation()
++ title = re.search(r'<title>(.+?)</title>', generated).group()
++ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
++ self.assertEqual('<title>Python: test_title<script></title>',
++ title)
++ self.assertEqual('<p><tt>test_documentation<script></tt></p>',
++ documentation)
++
++
+ def test_main():
+ test_support.run_unittest(DocXMLRPCHTTPGETServer)
+
+diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+new file mode 100644
+index 0000000000..8f02baed9e
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+@@ -0,0 +1,3 @@
++Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer`
++when rendering the document page as HTML.
++(Contributed by Dong-hee Na in :issue:`38243`.)
+--
+2.17.1
+
diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.16.bb
index aec877825e..808920e06f 100644
--- a/meta/recipes-devtools/python/python_2.7.16.bb
+++ b/meta/recipes-devtools/python/python_2.7.16.bb
@@ -31,6 +31,7 @@ SRC_URI += " \
file://float-endian.patch \
file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \
file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \
+ file://0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch \
"
S = "${WORKDIR}/Python-${PV}"
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* ✗ patchtest: failure for "[zeus] python3: fix CVE-2019-1..." and 1 more
2019-10-23 2:37 [zeus][PATCH 1/2] python3: fix CVE-2019-16935 Chen Qi
2019-10-23 2:37 ` [zeus][PATCH 2/2] python: " Chen Qi
@ 2019-10-23 3:01 ` Patchwork
2019-10-23 10:59 ` [zeus][PATCH 1/2] python3: fix CVE-2019-16935 Ross Burton
2 siblings, 0 replies; 6+ messages in thread
From: Patchwork @ 2019-10-23 3:01 UTC (permalink / raw)
To: Qi.Chen; +Cc: openembedded-core
== Series Details ==
Series: "[zeus] python3: fix CVE-2019-1..." and 1 more
Revision: 1
URL : https://patchwork.openembedded.org/series/20603/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Issue Series does not apply on top of target branch [test_series_merge_on_head]
Suggested fix Rebase your series on top of targeted branch
Targeted branch zeus (currently at 59938780e7)
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [zeus][PATCH 1/2] python3: fix CVE-2019-16935
2019-10-23 2:37 [zeus][PATCH 1/2] python3: fix CVE-2019-16935 Chen Qi
2019-10-23 2:37 ` [zeus][PATCH 2/2] python: " Chen Qi
2019-10-23 3:01 ` ✗ patchtest: failure for "[zeus] python3: fix CVE-2019-1..." and 1 more Patchwork
@ 2019-10-23 10:59 ` Ross Burton
2019-10-23 11:24 ` Adrian Bunk
2019-10-24 1:29 ` ChenQi
2 siblings, 2 replies; 6+ messages in thread
From: Ross Burton @ 2019-10-23 10:59 UTC (permalink / raw)
To: Chen Qi, openembedded-core
Zeus and master I presume?
Ross
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [zeus][PATCH 1/2] python3: fix CVE-2019-16935
2019-10-23 10:59 ` [zeus][PATCH 1/2] python3: fix CVE-2019-16935 Ross Burton
@ 2019-10-23 11:24 ` Adrian Bunk
2019-10-24 1:29 ` ChenQi
1 sibling, 0 replies; 6+ messages in thread
From: Adrian Bunk @ 2019-10-23 11:24 UTC (permalink / raw)
To: Ross Burton; +Cc: openembedded-core
On Wed, Oct 23, 2019 at 11:59:37AM +0100, Ross Burton wrote:
> Zeus and master I presume?
And warrior.
Or continue following the 3.7 stable releases in all 3 branches
(see my patch to upgrade to 3.7.5 that also fixes this CVE).
> Ross
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [zeus][PATCH 1/2] python3: fix CVE-2019-16935
2019-10-23 10:59 ` [zeus][PATCH 1/2] python3: fix CVE-2019-16935 Ross Burton
2019-10-23 11:24 ` Adrian Bunk
@ 2019-10-24 1:29 ` ChenQi
1 sibling, 0 replies; 6+ messages in thread
From: ChenQi @ 2019-10-24 1:29 UTC (permalink / raw)
To: Ross Burton, openembedded-core
On 10/23/2019 06:59 PM, Ross Burton wrote:
> Zeus and master I presume?
>
> Ross
>
Yes. These two are for zeus. I will send out another two for master to
avoid conflicts.
Best Regards,
Chen Qi
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-10-24 1:13 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-23 2:37 [zeus][PATCH 1/2] python3: fix CVE-2019-16935 Chen Qi
2019-10-23 2:37 ` [zeus][PATCH 2/2] python: " Chen Qi
2019-10-23 3:01 ` ✗ patchtest: failure for "[zeus] python3: fix CVE-2019-1..." and 1 more Patchwork
2019-10-23 10:59 ` [zeus][PATCH 1/2] python3: fix CVE-2019-16935 Ross Burton
2019-10-23 11:24 ` Adrian Bunk
2019-10-24 1:29 ` ChenQi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.