packages/python-httplib2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!8 update to 0.19.0 to fix CVE-2021-21240

Browse Source 
From: @zhanghua1831
Reviewed-by: @maminjie,@small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-03-03 14:53:09 +08:00 committed by Gitee
commit 6ccff33d9f
4 changed files with 7 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
CVE-2020-11078.patch
View File

@ -1,46 +0,0 @@
From a1457cc31f3206cf691d11d2bf34e98865873e9e Mon Sep 17 00:00:00 2001
From: Sergey Shepelev <temotor@gmail.com>
Date: Wed, 20 May 2020 14:56:12 +0300
Subject: [PATCH] IMPORTANT security vulnerability CWE-93 CRLF injection
Force %xx quote of space, CR, LF characters in uri.
Special thanks to Recar https://github.com/Ciyfly for discrete notification.
https://cwe.mitre.org/data/definitions/93.html
---
python2/httplib2/__init__.py | 3 +++
python3/httplib2/__init__.py | 3 +++
2 files changed, 6 insertions(+)
diff --git a/python2/httplib2/__init__.py b/python2/httplib2/__init__.py
index 97e06c1..34281b7 100644
--- a/python2/httplib2/__init__.py
+++ b/python2/httplib2/__init__.py
@@ -1985,6 +1985,9 @@ class Http(object):
headers["user-agent"] = "Python-httplib2/%s (gzip)" % __version__
uri = iri2uri(uri)
+ # Prevent CWE-75 space injection to manipulate request via part of uri.
+ # Prevent CWE-93 CRLF injection to modify headers via part of uri.
+ uri = uri.replace(" ", "%20").replace("\r", "%0D").replace("\n", "%0A")
(scheme, authority, request_uri, defrag_uri) = urlnorm(uri)
diff --git a/python3/httplib2/__init__.py b/python3/httplib2/__init__.py
index 8785cc1..c0b1418 100644
--- a/python3/httplib2/__init__.py
+++ b/python3/httplib2/__init__.py
@@ -1790,6 +1790,9 @@ a string that contains the response entity body.
headers["user-agent"] = "Python-httplib2/%s (gzip)" % __version__
uri = iri2uri(uri)
+ # Prevent CWE-75 space injection to manipulate request via part of uri.
+ # Prevent CWE-93 CRLF injection to modify headers via part of uri.
+ uri = uri.replace(" ", "%20").replace("\r", "%0D").replace("\n", "%0A")
(scheme, authority, request_uri, defrag_uri) = urlnorm(uri)
--
2.23.0

BIN
httplib2-0.13.1.tar.gz
View File

Binary file not shown.

BIN
httplib2-0.19.0.tar.gz Normal file
View File

Binary file not shown.

12
python-httplib2.spec
View File

@ -1,11 +1,10 @@
Name: python-httplib2 Name: python-httplib2
Version: 0.13.1 Version: 0.19.0
Release: 6 Release: 1
Summary: Small, fast HTTP client library for Python. Summary: Small, fast HTTP client library for Python.
License: MIT License: MIT
URL: https://github.com/httplib2/httplib2 URL: https://github.com/httplib2/httplib2
Source0: https://files.pythonhosted.org/packages/78/23/bb9606e87a66fd8c72a2b1a75b049d3859a122bc2648915be845bc44e04f/httplib2-0.13.1.tar.gz Source0: https://files.pythonhosted.org/packages/ed/ef/f0e05d5886a9c25dea4b18be06cd7bcaddbae0168cc576f3568f9bd6a35a/httplib2-0.19.0.tar.gz
Patch0001: CVE-2020-11078.patch
%if 0%{?with_python3} %if 0%{?with_python3}
BuildRequires: python3-setuptools python3-devel BuildRequires: python3-setuptools python3-devel
@ -55,6 +54,9 @@ popd
%endif %endif
%changelog %changelog
* Tue Mar 2 2021 zhanghua <zhanghua40@huawei.com> - 0.19.0-1
- update to 0.19.0 to fix CVE-2021-21240
* Wed Oct 21 2020 leiju <leiju4@huawei.com> - 0.13.1-6 * Wed Oct 21 2020 leiju <leiju4@huawei.com> - 0.13.1-6
- remove python2 subpackage - remove python2 subpackage