!177 fix CVE-2021-28861

From: @tong_1001 Reviewed-by: @markeryang, @gaoruoshu, @xiezhipeng1 Signed-off-by: @xiezhipeng1
2022-08-26 06:15:01 +00:00 · 2022-08-26 06:15:01 +00:00 · df23c65863
commit df23c65863
parent c88bb2d800 796770d20d
2 changed files with 140 additions and 1 deletions
--- a/backport-CVE-2021-28861.patch
+++ b/backport-CVE-2021-28861.patch
@ -0,0 +1,131 @@
 From 5715382d3a89ca118ce2e224d8c69550d21fe51b Mon Sep 17 00:00:00 2001
 From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
 Date: Tue, 21 Jun 2022 14:36:55 -0700
 Subject: [PATCH] gh-87389: Fix an open redirection vulnerability in
 http.server. (GH-93879)
 Fix an open redirection vulnerability in the `http.server` module when
 an URI path starts with `//` that could produce a 301 Location header
 with a misleading target.  Vulnerability discovered, and logic fix
 proposed, by Hamza Avvan (@hamzaavvan).
 Test and comments authored by Gregory P. Smith [Google].
 (cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e)
 Co-authored-by: Gregory P. Smith <greg@krypto.org>
 ---
 Lib/http/server.py                                 |  7 +++
 Lib/test/test_httpservers.py                       | 53 +++++++++++++++++++++-
 .../2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst  |  3 ++
 3 files changed, 61 insertions(+), 2 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst
 diff --git a/Lib/http/server.py b/Lib/http/server.py
 index e985dfd..78748c6 100644
 --- a/Lib/http/server.py
 +++ b/Lib/http/server.py
@@ -332,6 +332,13 @@ class BaseHTTPRequestHandler(socketserver.StreamRequestHandler):
                 return False
         self.command, self.path = command, path
 +        # gh-87389: The purpose of replacing '//' with '/' is to protect
 +        # against open redirect attacks possibly triggered if the path starts
 +        # with '//' because http clients treat //path as an absolute URI
 +        # without scheme (similar to http://path) rather than a path.
 +        if self.path.startswith('//'):
 +            self.path = '/' + self.path.lstrip('/')  # Reduce to a single /
 +
         # Examine the headers and look for a Connection directive.
         try:
             self.headers = http.client.parse_headers(self.rfile,
 diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
 index 1cc020f..8fdbab4 100644
 --- a/Lib/test/test_httpservers.py
 +++ b/Lib/test/test_httpservers.py
@@ -333,7 +333,7 @@ class SimpleHTTPServerTestCase(BaseTestCase):
         pass
     def setUp(self):
 -        BaseTestCase.setUp(self)
 +        super().setUp()
         self.cwd = os.getcwd()
         basetempdir = tempfile.gettempdir()
         os.chdir(basetempdir)
@@ -361,7 +361,7 @@ class SimpleHTTPServerTestCase(BaseTestCase):
             except:
                 pass
         finally:
 -            BaseTestCase.tearDown(self)
 +            super().tearDown()
     def check_status_and_reason(self, response, status, data=None):
         def close_conn():
@@ -417,6 +417,55 @@ class SimpleHTTPServerTestCase(BaseTestCase):
         self.check_status_and_reason(response, HTTPStatus.OK,
                                      data=os_helper.TESTFN_UNDECODABLE)
 +    def test_get_dir_redirect_location_domain_injection_bug(self):
 +        """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.
 +
 +        //netloc/ in a Location header is a redirect to a new host.
 +        https://github.com/python/cpython/issues/87389
 +
 +        This checks that a path resolving to a directory on our server cannot
 +        resolve into a redirect to another server.
 +        """
 +        os.mkdir(os.path.join(self.tempdir, 'existing_directory'))
 +        url = f'/python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../{self.tempdir_name}/existing_directory'
 +        expected_location = f'{url}/'  # /python.org.../ single slash single prefix, trailing slash
 +        # Canonicalizes to /tmp/tempdir_name/existing_directory which does
 +        # exist and is a dir, triggering the 301 redirect logic.
 +        response = self.request(url)
 +        self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
 +        location = response.getheader('Location')
 +        self.assertEqual(location, expected_location, msg='non-attack failed!')
 +
 +        # //python.org... multi-slash prefix, no trailing slash
 +        attack_url = f'/{url}'
 +        response = self.request(attack_url)
 +        self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
 +        location = response.getheader('Location')
 +        self.assertFalse(location.startswith('//'), msg=location)
 +        self.assertEqual(location, expected_location,
 +                msg='Expected Location header to start with a single / and '
 +                'end with a / as this is a directory redirect.')
 +
 +        # ///python.org... triple-slash prefix, no trailing slash
 +        attack3_url = f'//{url}'
 +        response = self.request(attack3_url)
 +        self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
 +        self.assertEqual(response.getheader('Location'), expected_location)
 +
 +        # If the second word in the http request (Request-URI for the http
 +        # method) is a full URI, we don't worry about it, as that'll be parsed
 +        # and reassembled as a full URI within BaseHTTPRequestHandler.send_head
 +        # so no errant scheme-less //netloc//evil.co/ domain mixup can happen.
 +        attack_scheme_netloc_2slash_url = f'https://pypi.org/{url}'
 +        expected_scheme_netloc_location = f'{attack_scheme_netloc_2slash_url}/'
 +        response = self.request(attack_scheme_netloc_2slash_url)
 +        self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
 +        location = response.getheader('Location')
 +        # We're just ensuring that the scheme and domain make it through, if
 +        # there are or aren't multiple slashes at the start of the path that
 +        # follows that isn't important in this Location: header.
 +        self.assertTrue(location.startswith('https://pypi.org/'), msg=location)
 +
     def test_get(self):
         #constructs the path relative to the root directory of the HTTPServer
         response = self.request(self.base_url + '/test')
 diff --git a/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst
 new file mode 100644
 index 0000000..029d437
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst
@@ -0,0 +1,3 @@
 +:mod:`http.server`: Fix an open redirection vulnerability in the HTTP server
 +when an URI path starts with ``//``.  Vulnerability discovered, and initial
 +fix proposed, by Hamza Avvan.
 -- 
 1.8.3.1
--- a/python3.spec
+++ b/python3.spec
@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/
 Version: 3.10.2
-Release: 7
+Release: 8
 License: Python-2.0
 %global branchversion 3.10
@ -89,6 +89,7 @@ Patch1:   00001-rpath.patch
 Patch251: 00251-change-user-install-location.patch
 Patch6000:  backport-bpo-46811-Make-test-suite-support-Expat-2.4.5.patch
 Patch6001:  backport-CVE-2015-20107.patch
 Patch6002:  backport-CVE-2021-28861.patch
 Patch9000:  add-the-sm3-method-for-obtaining-the-salt-value.patch
@ -186,6 +187,7 @@ rm configure pyconfig.h.in
 %patch251 -p1
 %patch6000 -p1
 %patch6001 -p1
 %patch6002 -p1
 %patch9000 -p1
@ -803,6 +805,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*
 %changelog
 * Thu Aug 25 2022 shixuantong <shixuantong@h-partners.com> - 3.10.2-8
 - Type:CVE
 - CVE:CVE-2021-28861
 - SUG:NA
 - DESC:fix CVE-2021-28861
 * Fri Aug 12 2022 shixuantong <shixuantong@h-partners.com> - 3.10.2-7
 - Type:enhancement
 - CVE:NA