packages/python-webob
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!11 Fix CVE-2024-42353

Browse Source 
From: @starlet-dx 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530
This commit is contained in:
openeuler-ci-bot 2024-08-15 03:28:03 +00:00 committed by Gitee
commit b5fbc5b8a6
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 54 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
backport-CVE-2024-42353.patch Normal file
View File

@ -0,0 +1,48 @@
From f689bcf4f0a1f64f1735b1d5069aef5be6974b5b Mon Sep 17 00:00:00 2001
From: Delta Regeer <xistence@0x58.com>
Date: Wed, 7 Aug 2024 11:15:35 -0600
Subject: [PATCH] Add fix for open redirect
---
src/webob/response.py | 5 +++++
tests/test_response.py | 11 +++++++++++
2 files changed, 16 insertions(+)
diff --git a/src/webob/response.py b/src/webob/response.py
index 2aad591c..efc38ecf 100644
--- a/src/webob/response.py
+++ b/src/webob/response.py
@@ -1284,6 +1284,11 @@ def _make_location_absolute(environ, value):
if SCHEME_RE.search(value):
return value
+ # This is to fix an open redirect issue due to the way that
+ # urlparse.urljoin works. See CVE-2024-42353 and
+ # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+ if value.startswith("//"):
+ value = "/%2f{}".format(value[2:])
new_location = urlparse.urljoin(_request_uri(environ), value)
return new_location
diff --git a/tests/test_response.py b/tests/test_response.py
index 9d9f9d37..8a6ac06d 100644
--- a/tests/test_response.py
+++ b/tests/test_response.py
@@ -1031,6 +1031,17 @@ def test_location():
assert req.get_response(res).location == 'http://localhost/test2.html'
+def test_location_no_open_redirect():
+ # This is a test for a fix for CVE-2024-42353 and
+ # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
+ res = Response()
+ res.status = "301"
+ res.location = "//www.example.com/test"
+ assert res.location == "//www.example.com/test"
+ req = Request.blank("/")
+ assert req.get_response(res).location == "http://localhost/%2fwww.example.com/test"
+
+
@pytest.mark.xfail(sys.version_info < (3,0),
reason="Python 2.x unicode != str, WSGI requires str. Test "
"added due to https://github.com/Pylons/webob/issues/247. "

7
python-webob.spec
View File

@ -1,11 +1,13 @@
Name: python-webob Name: python-webob
Version: 1.8.7 Version: 1.8.7
Release: 2 Release: 3
Summary: WSGI request and response object Summary: WSGI request and response object
License: MIT License: MIT
URL: http://pythonpaste.org/webob/ URL: http://pythonpaste.org/webob/
Source0: https://files.pythonhosted.org/packages/source/W/WebOb/WebOb-%{version}.tar.gz Source0: https://files.pythonhosted.org/packages/source/W/WebOb/WebOb-%{version}.tar.gz
Patch0001: Adapt_py310.patch Patch0001: Adapt_py310.patch
# https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b
Patch3000: backport-CVE-2024-42353.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: python3-devel, python3-pytest BuildRequires: python3-devel, python3-pytest
@ -51,6 +53,9 @@ py.test-3 tests
%{python3_sitelib}/* %{python3_sitelib}/*
%changelog %changelog
* Thu Aug 15 2024 yaoxin <yao_xin001@hoperun.com> - 1.8.7-3
- Fix CVE-2024-42353
* Wed Mar 02 2022 zhaoshuang <zhaoshuang@uniontech.com> - 1.8.7-2 * Wed Mar 02 2022 zhaoshuang <zhaoshuang@uniontech.com> - 1.8.7-2
- remove some unnecessary buildrequirements - remove some unnecessary buildrequirements