!28 fix CVE-2022-36087

From: @zhuofeng6 Reviewed-by: @xiezhipeng1 Signed-off-by: @xiezhipeng1
2022-09-27 01:34:05 +00:00 · 2022-09-27 01:34:05 +00:00 · 5cef6e15bc
commit 5cef6e15bc
parent fb1a6a1490 28063d5a03
3 changed files with 155 additions and 2 deletions
--- a/backport-Add-check-of-performance-of-ipv6-check.patch
+++ b/backport-Add-check-of-performance-of-ipv6-check.patch
@ -0,0 +1,28 @@
+From e514826eea15f2b62bbc13da407b71552ef5ff4c Mon Sep 17 00:00:00 2001
+From: Jonathan Huot <jonathan.huot@gmail.com>
+Date: Fri, 2 Sep 2022 23:22:17 +0200
+Subject: [PATCH] Add check of performance of ipv6 check
+
+---
+ tests/test_uri_validate.py | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/tests/test_uri_validate.py b/tests/test_uri_validate.py
+index 3489d95..1ef8b1f 100644
+--- a/tests/test_uri_validate.py
+++ b/tests/test_uri_validate.py
+@@ -31,3 +31,11 @@ class UriValidateTest(TestCase):
+         self.assertIsNone(is_absolute_uri('wrong'))
+         self.assertIsNone(is_absolute_uri('http://[:1]:38432/path'))
+         self.assertIsNone(is_absolute_uri('http://[abcd:efgh::1]/'))
+
+    def test_recursive_regex(self):
+        from datetime import datetime
+        t0 = datetime.now()
+        self.assertIsNone(is_absolute_uri('http://[::::::::::::::::::::::::::]/path'))
+        t1 = datetime.now()
+        spent = t1 - t0
+        self.assertGreater(0.1, spent.total_seconds(), "possible recursive loop detected")
+-- 
+2.33.0
+
--- a/backport-CVE-2022-36087.patch
+++ b/backport-CVE-2022-36087.patch
@ -0,0 +1,115 @@
+From 5d85c61998692643dd9d17e05d2646e06ce391e8 Mon Sep 17 00:00:00 2001
+From: Jonathan Huot <jonathan.huot@gmail.com>
+Date: Tue, 6 Sep 2022 21:56:40 +0200
+Subject: [PATCH] Fix IPV6 regex used to check redirect_uri
+
+---
+ oauthlib/uri_validate.py   |  2 +-
+ tests/test_uri_validate.py | 51 +++++++++++++++++++++++++++++++++++---
+ 2 files changed, 48 insertions(+), 5 deletions(-)
+
+diff --git a/oauthlib/uri_validate.py b/oauthlib/uri_validate.py
+index 8a6d9c2..a6fe0fb 100644
+--- a/oauthlib/uri_validate.py
+++ b/oauthlib/uri_validate.py
+@@ -66,7 +66,7 @@ IPv4address = r"%(dec_octet)s \. %(dec_octet)s \. %(dec_octet)s \. %(dec_octet)s
+ )
+ 
+ #   IPv6address
+-IPv6address = r"([A-Fa-f0-9:]+:+)+[A-Fa-f0-9]+"
+IPv6address = r"([A-Fa-f0-9:]+[:$])[A-Fa-f0-9]{1,4}"
+ 
+ #   IPvFuture     = "v" 1*HEXDIG "." 1*( unreserved / sub-delims / ":" )
+ IPvFuture = r"v %(HEXDIG)s+ \. (?: %(unreserved)s | %(sub_delims)s | : )+" % locals()
+diff --git a/tests/test_uri_validate.py b/tests/test_uri_validate.py
+index 1ef8b1f..6a9f8ea 100644
+--- a/tests/test_uri_validate.py
+++ b/tests/test_uri_validate.py
+@@ -1,4 +1,4 @@
+-import oauthlib
+import unittest
+ from oauthlib.uri_validate import is_absolute_uri
+ 
+ from tests.unittest import TestCase
+@@ -7,7 +7,6 @@ from tests.unittest import TestCase
+ class UriValidateTest(TestCase):
+ 
+     def test_is_absolute_uri(self):
+-
+         self.assertIsNotNone(is_absolute_uri('schema://example.com/path'))
+         self.assertIsNotNone(is_absolute_uri('https://example.com/path'))
+         self.assertIsNotNone(is_absolute_uri('https://example.com'))
+@@ -17,16 +16,60 @@ class UriValidateTest(TestCase):
+         self.assertIsNotNone(is_absolute_uri('http://example.com'))
+         self.assertIsNotNone(is_absolute_uri('http://example.com/path'))
+         self.assertIsNotNone(is_absolute_uri('http://example.com:80/path'))
+-        self.assertIsNotNone(is_absolute_uri('com.example.bundle.id:/'))
+
+    def test_query(self):
+        self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo'))
+        self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo=bar'))
+        self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo=bar&fruit=banana'))
+
+    def test_fragment_forbidden(self):
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo=bar'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo=bar&fruit=banana'))
+
+    def test_combined_forbidden(self):
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo#bar'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo&bar#fruit'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo=1&bar#fruit=banana'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo=1&bar=2#fruit=banana&bar=foo'))
+
+    def test_custom_scheme(self):
+        self.assertIsNotNone(is_absolute_uri('com.example.bundle.id://'))
+
+    def test_ipv6_bracket(self):
+         self.assertIsNotNone(is_absolute_uri('http://[::1]:38432/path'))
+         self.assertIsNotNone(is_absolute_uri('http://[::1]/path'))
+         self.assertIsNotNone(is_absolute_uri('http://[fd01:0001::1]/path'))
+         self.assertIsNotNone(is_absolute_uri('http://[fd01:1::1]/path'))
+         self.assertIsNotNone(is_absolute_uri('http://[0123:4567:89ab:cdef:0123:4567:89ab:cdef]/path'))
+        self.assertIsNotNone(is_absolute_uri('http://[0123:4567:89ab:cdef:0123:4567:89ab:cdef]:8080/path'))
+
+    @unittest.skip("ipv6 edge-cases not supported")
+    def test_ipv6_edge_cases(self):
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8::'))
+        self.assertIsNotNone(is_absolute_uri('http://::1234:5678'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8::1234:5678'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:5555:6666:7777:8888'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF'))
+        self.assertIsNotNone(is_absolute_uri('http://0123:4567:89ab:cdef:0123:4567:89ab:cdef/path'))
+        self.assertIsNotNone(is_absolute_uri('http://::'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:0db8:0001:0000:0000:0ab9:C0A8:0102'))
+
+    @unittest.skip("ipv6 dual ipv4 not supported")
+    def test_ipv6_dual(self):
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:5555:6666:1.2.3.4'))
+        self.assertIsNotNone(is_absolute_uri('http://::11.22.33.44'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8::123.123.123.123'))
+        self.assertIsNotNone(is_absolute_uri('http://::1234:5678:91.123.4.56'))
+        self.assertIsNotNone(is_absolute_uri('http://::1234:5678:1.2.3.4'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8::1234:5678:5.6.7.8'))
+
+    def test_ipv4(self):
+         self.assertIsNotNone(is_absolute_uri('http://127.0.0.1:38432/'))
+         self.assertIsNotNone(is_absolute_uri('http://127.0.0.1:38432/'))
+         self.assertIsNotNone(is_absolute_uri('http://127.1:38432/'))
+ 
+    def test_failures(self):
+         self.assertIsNone(is_absolute_uri('http://example.com:notaport/path'))
+         self.assertIsNone(is_absolute_uri('wrong'))
+         self.assertIsNone(is_absolute_uri('http://[:1]:38432/path'))
+@@ -35,7 +78,7 @@ class UriValidateTest(TestCase):
+     def test_recursive_regex(self):
+         from datetime import datetime
+         t0 = datetime.now()
+-        self.assertIsNone(is_absolute_uri('http://[::::::::::::::::::::::::::]/path'))
+        is_absolute_uri('http://[::::::::::::::::::::::::::]/path')
+         t1 = datetime.now()
+         spent = t1 - t0
+         self.assertGreater(0.1, spent.total_seconds(), "possible recursive loop detected")
+-- 
+2.33.0
+
--- a/python-oauthlib.spec
+++ b/python-oauthlib.spec
@ -1,11 +1,15 @@
 %global _empty_manifest_terminate_build 0
 Name:           python-oauthlib
 Version:        3.2.0
-Release:        1
+Release:        2
 Summary:        A generic, spec-compliant, thorough implementation of the OAuth request-signing logic
 License:        BSD
 URL:            https://github.com/oauthlib/oauthlib
 Source0:        https://files.pythonhosted.org/packages/6e/7e/a43cec8b2df28b6494a865324f0ac4be213cb2edcf1e2a717547a93279b0/oauthlib-3.2.0.tar.gz
+
+Patch6000:      backport-Add-check-of-performance-of-ipv6-check.patch
+Patch6001:      backport-CVE-2022-36087.patch
+
 BuildArch:      noarch
 %description
 AuthLib is a framework which implements the logic of OAuth1 or OAuth2
@ -54,7 +58,7 @@ maintainer of such a library, write a thin veneer on top of OAuthLib
 and get OAuth support for very little effort.

 %prep
-%autosetup -n oauthlib-%{version}
+%autosetup -n oauthlib-%{version} -p1

 %build
 %py3_build
@ -98,6 +102,12 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Mon Sep 26 2022 zhuofeng<zhuofeng2@huawei.com> - 3.2.0-2
+- Type:CVE
+- CVE:CVE-2022-36087
+- SUG:NA
+- DESC:fix CVE-2022-36087
+
 * Tue Jul 05 2022 OpenStack_SIG <openstack@openeuler.org> - 3.2.0-1
 - Upgrade package python3-oauthlib to version 3.2.0