diff options
| author | Maxim Cournoyer <maxim.cournoyer@gmail.com> | 2022-03-21 21:38:19 -0400 |
|---|---|---|
| committer | Maxim Cournoyer <maxim.cournoyer@gmail.com> | 2022-03-21 21:38:19 -0400 |
| commit | 49b350fafc2c3ea1db66461b73d4e304cd13ec92 (patch) | |
| tree | 9b9b1a4a383b5175241ae6b91b83de0590f13983 /gnu/packages/patches/python-CVE-2020-26116.patch | |
| parent | 03b5668a035ba96c9690476078c5ee1d5793f3e2 (diff) | |
| parent | e584a093f943be216fdc93895281fde835836b8d (diff) | |
Merge branch 'master' into staging.
Diffstat (limited to 'gnu/packages/patches/python-CVE-2020-26116.patch')
| -rw-r--r-- | gnu/packages/patches/python-CVE-2020-26116.patch | 47 |
1 files changed, 0 insertions, 47 deletions
diff --git a/gnu/packages/patches/python-CVE-2020-26116.patch b/gnu/packages/patches/python-CVE-2020-26116.patch deleted file mode 100644 index dc0571e964..0000000000 --- a/gnu/packages/patches/python-CVE-2020-26116.patch +++ /dev/null @@ -1,47 +0,0 @@ -Fix CVE-2020-26116: - -https://cve.circl.lu/cve/CVE-2020-26116 -https://bugs.python.org/issue39603 - -Taken from upstream (sans test and NEWS update): -https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf - -diff --git a/Lib/http/client.py b/Lib/http/client.py ---- a/Lib/http/client.py -+++ b/Lib/http/client.py -@@ -147,6 +147,10 @@ - # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") - # We are more lenient for assumed real world compatibility purposes. - -+# These characters are not allowed within HTTP method names -+# to prevent http header injection. -+_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') -+ - # We always set the Content-Length header for these methods because some - # servers will otherwise respond with a 411 - _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} -@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False, - else: - raise CannotSendRequest(self.__state) - -+ self._validate_method(method) -+ - # Save the method for use later in the response phase - self._method = method - -@@ -1177,6 +1183,15 @@ def _encode_request(self, request): - # ASCII also helps prevent CVE-2019-9740. - return request.encode('ascii') - -+ def _validate_method(self, method): -+ """Validate a method name for putrequest.""" -+ # prevent http header injection -+ match = _contains_disallowed_method_pchar_re.search(method) -+ if match: -+ raise ValueError( -+ f"method can't contain control characters. {method!r} " -+ f"(found at least {match.group()!r})") -+ - def _validate_path(self, url): - """Validate a url for putrequest.""" - # Prevent CVE-2019-9740. |