python-httplib2/CVE-2020-11078.patch

From a1457cc31f3206cf691d11d2bf34e98865873e9e Mon Sep 17 00:00:00 2001
From: Sergey Shepelev <temotor@gmail.com>
Date: Wed, 20 May 2020 14:56:12 +0300
Subject: [PATCH] IMPORTANT security vulnerability CWE-93 CRLF injection

Force %xx quote of space, CR, LF characters in uri.

Special thanks to Recar https://github.com/Ciyfly for discrete notification.

https://cwe.mitre.org/data/definitions/93.html
---
 python2/httplib2/__init__.py |  3 +++
 python3/httplib2/__init__.py |  3 +++
 2 files changed, 6 insertions(+)

diff --git a/python2/httplib2/__init__.py b/python2/httplib2/__init__.py
index 97e06c1..34281b7 100644
--- a/python2/httplib2/__init__.py
+++ b/python2/httplib2/__init__.py
@@ -1985,6 +1985,9 @@ class Http(object):
                 headers["user-agent"] = "Python-httplib2/%s (gzip)" % __version__
 
             uri = iri2uri(uri)
+            # Prevent CWE-75 space injection to manipulate request via part of uri.
+            # Prevent CWE-93 CRLF injection to modify headers via part of uri.
+            uri = uri.replace(" ", "%20").replace("\r", "%0D").replace("\n", "%0A")
 
             (scheme, authority, request_uri, defrag_uri) = urlnorm(uri)
 
diff --git a/python3/httplib2/__init__.py b/python3/httplib2/__init__.py
index 8785cc1..c0b1418 100644
--- a/python3/httplib2/__init__.py
+++ b/python3/httplib2/__init__.py
@@ -1790,6 +1790,9 @@ a string that contains the response entity body.
                 headers["user-agent"] = "Python-httplib2/%s (gzip)" % __version__
 
             uri = iri2uri(uri)
+            # Prevent CWE-75 space injection to manipulate request via part of uri.
+            # Prevent CWE-93 CRLF injection to modify headers via part of uri.
+            uri = uri.replace(" ", "%20").replace("\r", "%0D").replace("\n", "%0A")
 
             (scheme, authority, request_uri, defrag_uri) = urlnorm(uri)
 
-- 
2.23.0
fix CVE-2020-11078 2020-07-20 15:55:11 +08:00			`From a1457cc31f3206cf691d11d2bf34e98865873e9e Mon Sep 17 00:00:00 2001`
			`From: Sergey Shepelev <temotor@gmail.com>`
			`Date: Wed, 20 May 2020 14:56:12 +0300`
			`Subject: [PATCH] IMPORTANT security vulnerability CWE-93 CRLF injection`

			`Force %xx quote of space, CR, LF characters in uri.`

			`Special thanks to Recar https://github.com/Ciyfly for discrete notification.`

			`https://cwe.mitre.org/data/definitions/93.html`
			`---`
			`python2/httplib2/__init__.py \| 3 +++`
			`python3/httplib2/__init__.py \| 3 +++`
			`2 files changed, 6 insertions(+)`

			`diff --git a/python2/httplib2/__init__.py b/python2/httplib2/__init__.py`
			`index 97e06c1..34281b7 100644`
			`--- a/python2/httplib2/__init__.py`
			`+++ b/python2/httplib2/__init__.py`
			`@@ -1985,6 +1985,9 @@ class Http(object):`
			`headers["user-agent"] = "Python-httplib2/%s (gzip)" % __version__`

			`uri = iri2uri(uri)`
			`+ # Prevent CWE-75 space injection to manipulate request via part of uri.`
			`+ # Prevent CWE-93 CRLF injection to modify headers via part of uri.`
			`+ uri = uri.replace(" ", "%20").replace("\r", "%0D").replace("\n", "%0A")`

			`(scheme, authority, request_uri, defrag_uri) = urlnorm(uri)`

			`diff --git a/python3/httplib2/__init__.py b/python3/httplib2/__init__.py`
			`index 8785cc1..c0b1418 100644`
			`--- a/python3/httplib2/__init__.py`
			`+++ b/python3/httplib2/__init__.py`
			`@@ -1790,6 +1790,9 @@ a string that contains the response entity body.`
			`headers["user-agent"] = "Python-httplib2/%s (gzip)" % __version__`

			`uri = iri2uri(uri)`
			`+ # Prevent CWE-75 space injection to manipulate request via part of uri.`
			`+ # Prevent CWE-93 CRLF injection to modify headers via part of uri.`
			`+ uri = uri.replace(" ", "%20").replace("\r", "%0D").replace("\n", "%0A")`

			`(scheme, authority, request_uri, defrag_uri) = urlnorm(uri)`

			`--`
			`2.23.0`