Commit f9cad747 authored by Leonardo Arena's avatar Leonardo Arena
Browse files

main/python2: security fix (CVE-2019-16935)

ref #10872
parent 1839ebaf
......@@ -4,7 +4,7 @@ pkgname=python2
# the python2-tkinter's pkgver needs to be synchronized with this.
pkgver=2.7.16
_verbase=${pkgver%.*}
pkgrel=1
pkgrel=2
pkgdesc="A high-level scripting language"
url="https://www.python.org"
arch="all"
......@@ -21,6 +21,7 @@ source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz
unchecked-ioctl.patch
CVE-2019-9636.patch
CVE-2019-9948.patch
CVE-2019-16935.patch
"
builddir="$srcdir/Python-$pkgver"
......@@ -146,4 +147,5 @@ sha512sums="16e814e8dcffc707b595ca2919bd2fa3db0d15794c63d977364652c4a5b92e90e72b
ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch
5a8e013a4132d71c4360771f130d27b37275ae59330cf9a75378dc8a11236017f540eb224f2a148984e82ca3fb6b29129375b1080ba05b81044faa717520ab82 unchecked-ioctl.patch
54086e7b4d3597969b945b1460fe578ff3a13289703d58d79b8f00f644eccc4acc11fc6128b7b114f022a6f6cedc91e02eead6373bac0d36e22eb580a1becb53 CVE-2019-9636.patch
2f9523bd3e39c4831110821d93aef1562ca80708f1b553428eb5c228cdf2192feb13d7aef41097a5df4b4243da8b8f7247f691c0ab73967b0bf2bf6a1a0d487f CVE-2019-9948.patch"
2f9523bd3e39c4831110821d93aef1562ca80708f1b553428eb5c228cdf2192feb13d7aef41097a5df4b4243da8b8f7247f691c0ab73967b0bf2bf6a1a0d487f CVE-2019-9948.patch
758a897f01665149a23cbc3898fe060c043647d6fe6d22d8ca9038554b4ef1c7b2ac638d37eaed265167cd50f9329be2518f07464dccb7a7ab34ec9be4710095 CVE-2019-16935.patch"
From 8eb64155ff26823542ccf0225b3d57b6ae36ea89 Mon Sep 17 00:00:00 2001
From: Dong-hee Na <donghee.na92@gmail.com>
Date: Tue, 1 Oct 2019 19:58:01 +0900
Subject: [PATCH] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer
(GH-16447)
Escape the server title of DocXMLRPCServer.DocXMLRPCServer
when rendering the document page as HTML.
---
Lib/DocXMLRPCServer.py | 13 +++++++++++-
Lib/test/test_docxmlrpc.py | 20 +++++++++++++++++++
.../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++
3 files changed, 35 insertions(+), 1 deletion(-)
create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py
index 4064ec2e48d4d..90b037dd35d6b 100644
--- a/Lib/DocXMLRPCServer.py
+++ b/Lib/DocXMLRPCServer.py
@@ -20,6 +20,16 @@
CGIXMLRPCRequestHandler,
resolve_dotted_attribute)
+
+def _html_escape_quote(s):
+ s = s.replace("&", "&amp;") # Must be done first!
+ s = s.replace("<", "&lt;")
+ s = s.replace(">", "&gt;")
+ s = s.replace('"', "&quot;")
+ s = s.replace('\'', "&#x27;")
+ return s
+
+
class ServerHTMLDoc(pydoc.HTMLDoc):
"""Class used to generate pydoc HTML document for a server"""
@@ -210,7 +220,8 @@ def generate_html_documentation(self):
methods
)
- return documenter.page(self.server_title, documentation)
+ title = _html_escape_quote(self.server_title)
+ return documenter.page(title, documentation)
class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
"""XML-RPC and documentation request handler class.
diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
index 4dff4159e2466..c45b892b8b3e7 100644
--- a/Lib/test/test_docxmlrpc.py
+++ b/Lib/test/test_docxmlrpc.py
@@ -1,5 +1,6 @@
from DocXMLRPCServer import DocXMLRPCServer
import httplib
+import re
import sys
from test import test_support
threading = test_support.import_module('threading')
@@ -176,6 +177,25 @@ def test_autolink_dotted_methods(self):
self.assertIn("""Try&nbsp;self.<strong>add</strong>,&nbsp;too.""",
response.read())
+ def test_server_title_escape(self):
+ """Test that the server title and documentation
+ are escaped for HTML.
+ """
+ self.serv.set_server_title('test_title<script>')
+ self.serv.set_server_documentation('test_documentation<script>')
+ self.assertEqual('test_title<script>', self.serv.server_title)
+ self.assertEqual('test_documentation<script>',
+ self.serv.server_documentation)
+
+ generated = self.serv.generate_html_documentation()
+ title = re.search(r'<title>(.+?)</title>', generated).group()
+ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
+ self.assertEqual('<title>Python: test_title&lt;script&gt;</title>',
+ title)
+ self.assertEqual('<p><tt>test_documentation&lt;script&gt;</tt></p>',
+ documentation)
+
+
def test_main():
test_support.run_unittest(DocXMLRPCHTTPGETServer)
diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
new file mode 100644
index 0000000000000..8f02baed9ebe5
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
@@ -0,0 +1,3 @@
+Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer`
+when rendering the document page as HTML.
+(Contributed by Dong-hee Na in :issue:`38243`.)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment