906ed044aa
Fixes the following security issues:
- bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with
additional text after the address and only quad-dotted notation without
trailing whitespaces. Some inet_aton() implementations ignore whitespace
and all data after whitespace, e.g. ‘127.0.0.1 whatever’.
- bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file://
and local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.
- bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded
whitespace or control characters through into the underlying http client
request. Such potentially malicious header injection URLs now cause an
http.client.InvalidURL exception to be raised.
- bpo-33529: Prevent fold function used in email header encoding from
entering infinite loop when there are too many non-ASCII characters in a
header.
- bpo-35755: shutil.which() now uses os.confstr("CS_PATH") if available and
if the PATH environment variable is not set. Remove also the current
directory from posixpath.defpath. On Unix, shutil.which() and the
subprocess module no longer search the executable in the current directory
if the PATH environment variable is not set.
Also remove the following upstreamed patches:
- 0033-bpo-36742-Fixes-handling-of-pre-normalization-charac.patch
- 0034-bpo-36742-Corrects-fix-to-handle-decomposition-in-us.patch
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[Peter: mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
110 lines
4.0 KiB
Diff
110 lines
4.0 KiB
Diff
From 2c2afc80831c518e5daf3df6c9e4c4ac0a7be001 Mon Sep 17 00:00:00 2001
|
|
From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Date: Wed, 22 Feb 2017 16:33:22 -0800
|
|
Subject: [PATCH] Add infrastructure to disable the build of certain extensions
|
|
|
|
Some of the extensions part of the Python core have dependencies on
|
|
external libraries (sqlite, tk, etc.) or are relatively big and not
|
|
necessarly always useful (CJK codecs for example). By extensions, we
|
|
mean part of Python modules that are written in C and therefore
|
|
compiled to binary code.
|
|
|
|
Therefore, we introduce a small infrastructure that allows to disable
|
|
some of those extensions. This can be done inside the configure.ac by
|
|
adding values to the DISABLED_EXTENSIONS variable (which is a
|
|
word-separated list of extensions).
|
|
|
|
The implementation works as follow :
|
|
|
|
* configure.ac defines a DISABLED_EXTENSIONS variable, which is
|
|
substituted (so that when Makefile.pre is generated from
|
|
Makefile.pre.in, the value of the variable is substituted). For
|
|
now, this DISABLED_EXTENSIONS variable is empty, later patches will
|
|
use it.
|
|
|
|
* Makefile.pre.in passes the DISABLED_EXTENSIONS value down to the
|
|
variables passed in the environment when calling the setup.py
|
|
script that actually builds and installs those extensions.
|
|
|
|
* setup.py is modified so that the existing "disabled_module_list" is
|
|
filled with those pre-disabled extensions listed in
|
|
DISABLED_EXTENSIONS.
|
|
|
|
Patch ported to python2.7 by Maxime Ripard <ripard@archos.com>, and
|
|
then extended by Thomas Petazzoni
|
|
<thomas.petazzoni@free-electrons.com>.
|
|
|
|
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
[ Andrey Smirnov: ported to Python 3.6 ]
|
|
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
|
|
---
|
|
Makefile.pre.in | 6 +++++-
|
|
configure.ac | 2 ++
|
|
setup.py | 6 +++++-
|
|
3 files changed, 12 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/Makefile.pre.in b/Makefile.pre.in
|
|
index b38bd79121..4ce917ab8d 100644
|
|
--- a/Makefile.pre.in
|
|
+++ b/Makefile.pre.in
|
|
@@ -206,6 +206,8 @@ FILEMODE= 644
|
|
# configure script arguments
|
|
CONFIG_ARGS= @CONFIG_ARGS@
|
|
|
|
+# disabled extensions
|
|
+DISABLED_EXTENSIONS= @DISABLED_EXTENSIONS@
|
|
|
|
# Subdirectories with code
|
|
SRCDIRS= @SRCDIRS@
|
|
@@ -619,6 +621,7 @@ sharedmods: $(BUILDPYTHON) pybuilddir.txt Modules/_math.o
|
|
esac; \
|
|
echo "$(RUNSHARED) CC='$(CC)' LDSHARED='$(BLDSHARED)' OPT='$(OPT)' \
|
|
_TCLTK_INCLUDES='$(TCLTK_INCLUDES)' _TCLTK_LIBS='$(TCLTK_LIBS)' \
|
|
+ DISABLED_EXTENSIONS="$(DISABLED_EXTENSIONS)" \
|
|
$(PYTHON_FOR_BUILD) $(srcdir)/setup.py $$quiet build"; \
|
|
$(RUNSHARED) CC='$(CC)' LDSHARED='$(BLDSHARED)' OPT='$(OPT)' \
|
|
_TCLTK_INCLUDES='$(TCLTK_INCLUDES)' _TCLTK_LIBS='$(TCLTK_LIBS)' \
|
|
@@ -1528,7 +1531,8 @@ libainstall: @DEF_MAKE_RULE@ python-config
|
|
# Install the dynamically loadable modules
|
|
# This goes into $(exec_prefix)
|
|
sharedinstall: sharedmods
|
|
- $(RUNSHARED) $(PYTHON_FOR_BUILD) $(srcdir)/setup.py install \
|
|
+ $(RUNSHARED) DISABLED_EXTENSIONS="$(DISABLED_EXTENSIONS)" \
|
|
+ $(PYTHON_FOR_BUILD) $(srcdir)/setup.py install \
|
|
--prefix=$(prefix) \
|
|
--install-scripts=$(BINDIR) \
|
|
--install-platlib=$(DESTSHARED) \
|
|
diff --git a/configure.ac b/configure.ac
|
|
index 5f87c4db5a..d5ee2aedfb 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -2966,6 +2966,8 @@ LIBS="$withval $LIBS"
|
|
|
|
PKG_PROG_PKG_CONFIG
|
|
|
|
+AC_SUBST(DISABLED_EXTENSIONS)
|
|
+
|
|
# Check for use of the system expat library
|
|
AC_MSG_CHECKING(for --with-system-expat)
|
|
AC_ARG_WITH(system_expat,
|
|
diff --git a/setup.py b/setup.py
|
|
index fe477974bd..86643ae8bf 100644
|
|
--- a/setup.py
|
|
+++ b/setup.py
|
|
@@ -48,7 +48,11 @@ host_platform = get_platform()
|
|
COMPILED_WITH_PYDEBUG = ('--with-pydebug' in sysconfig.get_config_var("CONFIG_ARGS"))
|
|
|
|
# This global variable is used to hold the list of modules to be disabled.
|
|
-disabled_module_list = []
|
|
+try:
|
|
+ disabled_module_list = sysconfig.get_config_var("DISABLED_EXTENSIONS").split(" ")
|
|
+except KeyError:
|
|
+ disabled_module_list = list()
|
|
+
|
|
|
|
def add_dir_to_list(dirlist, dir):
|
|
"""Add the directory 'dir' to the list 'dirlist' (after any relative
|
|
--
|
|
2.13.5
|
|
|