LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16464 Commits
1 Branch
46 MiB
Tree: c722105c1d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c722105c1d'
${ noResults }
openwrt-packages-dist/lang/python/python3/patches/027-bpo-38243-xmlrpc.server...

74 lines
3.0 KiB
Raw Normal View History

python3: backport three security patches Fixes: CVE-2019-16935 Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
5 years ago
 
  1. From 39a0c7555530e31c6941a78da19b6a5b61170687 Mon Sep 17 00:00:00 2001
  2. From: "Miss Islington (bot)"
  3.  <31488909+miss-islington@users.noreply.github.com>
  4. Date: Fri, 27 Sep 2019 13:18:14 -0700
  5. Subject: [PATCH] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
  6. 

  7. Escape the server title of xmlrpc.server.DocXMLRPCServer
  8. when rendering the document page as HTML.
  9. (cherry picked from commit e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa)
  10. 

  11. Co-authored-by: Dong-hee Na <donghee.na92@gmail.com>
  12. ---

  13.  Lib/test/test_docxmlrpc.py                       | 16 ++++++++++++++++
  14.  Lib/xmlrpc/server.py                             |  3 ++-
  15.  .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst     |  3 +++
  16.  3 files changed, 21 insertions(+), 1 deletion(-)
  17.  create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
  18. 

  19. --- a/Lib/test/test_docxmlrpc.py

  20. +++ b/Lib/test/test_docxmlrpc.py

  21. @@ -1,5 +1,6 @@

  22.  from xmlrpc.server import DocXMLRPCServer
  23.  import http.client
  24. +import re

  25.  import sys
  26.  import threading
  27.  from test import support
  28. @@ -193,6 +194,21 @@ class DocXMLRPCHTTPGETServer(unittest.Te

  29.               b'method_annotation</strong></a>(x: bytes)</dt></dl>'),
  30.              response.read())
  31.  
  32. +    def test_server_title_escape(self):

  33. +        # bpo-38243: Ensure that the server title and documentation

  34. +        # are escaped for HTML.

  35. +        self.serv.set_server_title('test_title<script>')

  36. +        self.serv.set_server_documentation('test_documentation<script>')

  37. +        self.assertEqual('test_title<script>', self.serv.server_title)

  38. +        self.assertEqual('test_documentation<script>',

  39. +                self.serv.server_documentation)

  40. +

  41. +        generated = self.serv.generate_html_documentation()

  42. +        title = re.search(r'<title>(.+?)</title>', generated).group()

  43. +        documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()

  44. +        self.assertEqual('<title>Python: test_title&lt;script&gt;</title>', title)

  45. +        self.assertEqual('<p><tt>test_documentation&lt;script&gt;</tt></p>', documentation)

  46. +

  47.  
  48.  if __name__ == '__main__':
  49.      unittest.main()
  50. --- a/Lib/xmlrpc/server.py

  51. +++ b/Lib/xmlrpc/server.py

  52. @@ -108,6 +108,7 @@ from xmlrpc.client import Fault, dumps,

  53.  from http.server import BaseHTTPRequestHandler
  54.  from functools import partial
  55.  from inspect import signature
  56. +import html

  57.  import http.server
  58.  import socketserver
  59.  import sys
  60. @@ -894,7 +895,7 @@ class XMLRPCDocGenerator:

  61.                                  methods
  62.                              )
  63.  
  64. -        return documenter.page(self.server_title, documentation)

  65. +        return documenter.page(html.escape(self.server_title), documentation)

  66.  
  67.  class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
  68.      """XML-RPC and documentation request handler class.
  69. --- /dev/null

  70. +++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst

  71. @@ -0,0 +1,3 @@

  72. +Escape the server title of :class:`xmlrpc.server.DocXMLRPCServer`

  73. +when rendering the document page as HTML.

  74. +(Contributed by Dong-hee Na in :issue:`38243`.)