pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/lang/python27
Module Name: pkgsrc
Committed By: gutteridge
Date: Fri Feb 25 22:41:32 UTC 2022
Modified Files:
pkgsrc/lang/python27: Makefile distinfo
pkgsrc/lang/python27/patches: patch-Doc_library_urlparse.rst
patch-Lib_test_test__urlparse.py patch-Lib_urlparse.py
Added Files:
pkgsrc/lang/python27/patches: patch-Lib_ftplib.py
patch-Lib_test_test__ftplib.py
Log Message:
python27: fix two security issues
Addresses CVE-2021-4189 and CVE-2022-0391. Patches sourced via Fedora.
To generate a diff of this commit:
cvs rdiff -u -r1.98 -r1.99 pkgsrc/lang/python27/Makefile
cvs rdiff -u -r1.88 -r1.89 pkgsrc/lang/python27/distinfo
cvs rdiff -u -r1.1 -r1.2 \
pkgsrc/lang/python27/patches/patch-Doc_library_urlparse.rst \
pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py
cvs rdiff -u -r0 -r1.1 pkgsrc/lang/python27/patches/patch-Lib_ftplib.py \
pkgsrc/lang/python27/patches/patch-Lib_test_test__ftplib.py
cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/python27/patches/patch-Lib_urlparse.py
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/lang/python27/Makefile
diff -u pkgsrc/lang/python27/Makefile:1.98 pkgsrc/lang/python27/Makefile:1.99
--- pkgsrc/lang/python27/Makefile:1.98 Thu Jan 20 12:57:13 2022
+++ pkgsrc/lang/python27/Makefile Fri Feb 25 22:41:32 2022
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.98 2022/01/20 12:57:13 jperkin Exp $
+# $NetBSD: Makefile,v 1.99 2022/02/25 22:41:32 gutteridge Exp $
.include "dist.mk"
PKGNAME= python27-${PY_DISTVERSION}
-PKGREVISION= 7
+PKGREVISION= 8
CATEGORIES= lang python
MAINTAINER= pkgsrc-users%NetBSD.org@localhost
Index: pkgsrc/lang/python27/distinfo
diff -u pkgsrc/lang/python27/distinfo:1.88 pkgsrc/lang/python27/distinfo:1.89
--- pkgsrc/lang/python27/distinfo:1.88 Wed Jan 12 08:49:01 2022
+++ pkgsrc/lang/python27/distinfo Fri Feb 25 22:41:32 2022
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.88 2022/01/12 08:49:01 wiz Exp $
+$NetBSD: distinfo,v 1.89 2022/02/25 22:41:32 gutteridge Exp $
BLAKE2s (Python-2.7.18.tar.xz) = 1b673ec8c9362a178e044691392bc4f67ad13457d7fddd84a88de346f23f9812
SHA512 (Python-2.7.18.tar.xz) = a7bb62b51f48ff0b6df0b18f5b0312a523e3110f49c3237936bfe56ed0e26838c0274ff5401bda6fc21bf24337477ccac49e8026c5d651e4b4cafb5eb5086f6c
Size (Python-2.7.18.tar.xz) = 12854736 bytes
SHA1 (patch-Doc_library_cgi.rst) = ed9ac101b0857dc573e9a648694d1ee5fabe61fb
-SHA1 (patch-Doc_library_urlparse.rst) = f9714b945a2bacb4ec5360c151a42192e00f08ad
+SHA1 (patch-Doc_library_urlparse.rst) = ceaea3a4577ba7d3055ffb3b3c8ffbbdda7e1d32
SHA1 (patch-Include_pyerrors.h) = 0d2cd52d18cc719b895fa32ed7e11c6cb15bae54
SHA1 (patch-Include_pyport.h) = f3e4ddbc954425a65301465410911222ca471320
SHA1 (patch-Lib___osx__support.py) = 4389472565616b3875c699f6e3e74850d5fde712
@@ -19,6 +19,7 @@ SHA1 (patch-Lib_distutils_command_instal
SHA1 (patch-Lib_distutils_tests_test__build__ext.py) = 6b3c8c8d1d351836b239c049d34d132953bd4786
SHA1 (patch-Lib_distutils_unixccompiler.py) = db16c9aca2f29730945f28247b88b18828739bbb
SHA1 (patch-Lib_distutils_util.py) = 5bcfad96f8e490351160f1a7c1f4ece7706a33fa
+SHA1 (patch-Lib_ftplib.py) = 6679c4ea109dcb5d56d86a55343954e0368b9138
SHA1 (patch-Lib_httplib.py) = b8eeaa203e2a86ece94148d192b2a7e0c078602a
SHA1 (patch-Lib_lib2to3_pgen2_driver.py) = 5d6dab14197f27363394ff1aeee22a8ced8026d2
SHA1 (patch-Lib_multiprocessing_process.py) = 15699bd8ec822bf54a0631102e00e0a34f882803
@@ -27,13 +28,14 @@ SHA1 (patch-Lib_sysconfig.py) = 8a7a0e5c
SHA1 (patch-Lib_tarfile.py) = df00aa1941367c42dcbbed4b6658b724a22ddcde
SHA1 (patch-Lib_test_multibytecodec__support.py) = a18c40e8009f1a8f63e15196d3e751d7dccf8367
SHA1 (patch-Lib_test_test__cgi.py) = 724355e8d2195f8a4b76d7ea61133e9b14fa3a68
+SHA1 (patch-Lib_test_test__ftplib.py) = 4b22c8a963ccf6f60ca49be003bf026e1b0b632d
SHA1 (patch-Lib_test_test__httplib.py) = f7cfa5501a63eaca539bfa53d38cf931f3a6c3ac
SHA1 (patch-Lib_test_test__platform.py) = 3a3b8c05f9bf9adf4862b1022ce864127d36b8b0
SHA1 (patch-Lib_test_test__unicode.py) = 1bd182bdbd880d0a847f9d8b69277a607f9f0526
SHA1 (patch-Lib_test_test__urllib2.py) = 89baa57daf2f3282e4fc5009915dbc4910b96ef1
-SHA1 (patch-Lib_test_test__urlparse.py) = 257cb3bf7a0e9b5e0dcb204f675959b10953ba7b
+SHA1 (patch-Lib_test_test__urlparse.py) = d98df667a34eebb994fe1d54a1decb8359df897e
SHA1 (patch-Lib_urllib2.py) = 0cc0dc811bb9544496962e08b040b5c96fb9073c
-SHA1 (patch-Lib_urlparse.py) = 69db5325a19474113e72c1feeb895a25534412c4
+SHA1 (patch-Lib_urlparse.py) = 1f102bb85acd99a8be976f9d5b0fdb1a7abf5725
SHA1 (patch-Mac_Tools_pythonw.c) = 2b9a60d4b349c240471fd305be69c28e0f654cdc
SHA1 (patch-Makefile.pre.in) = ceaf34237588b527478ce1f9163c9168382fa201
SHA1 (patch-Modules___ctypes_callbacks.c) = 8c335edfc9d2ef47988c5bdf1c3dd8473757637b
Index: pkgsrc/lang/python27/patches/patch-Doc_library_urlparse.rst
diff -u pkgsrc/lang/python27/patches/patch-Doc_library_urlparse.rst:1.1 pkgsrc/lang/python27/patches/patch-Doc_library_urlparse.rst:1.2
--- pkgsrc/lang/python27/patches/patch-Doc_library_urlparse.rst:1.1 Sun Oct 10 03:00:59 2021
+++ pkgsrc/lang/python27/patches/patch-Doc_library_urlparse.rst Fri Feb 25 22:41:32 2022
@@ -1,12 +1,26 @@
-$NetBSD: patch-Doc_library_urlparse.rst,v 1.1 2021/10/10 03:00:59 gutteridge Exp $
+$NetBSD: patch-Doc_library_urlparse.rst,v 1.2 2022/02/25 22:41:32 gutteridge Exp $
Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
Via Fedora:
https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336.patch
+Fix CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00377-CVE-2022-0391.patch
+
--- Doc/library/urlparse.rst.orig 2020-04-19 21:13:39.000000000 +0000
+++ Doc/library/urlparse.rst
-@@ -136,7 +136,7 @@ The :mod:`urlparse` module defines the f
+@@ -125,6 +125,9 @@ The :mod:`urlparse` module defines the f
+ decomposed before parsing, or is not a Unicode string, no error will be
+ raised.
+
++ Following the `WHATWG spec`_ that updates RFC 3986, ASCII newline
++ ``\n``, ``\r`` and tab ``\t`` characters are stripped from the URL.
++
+ .. versionchanged:: 2.5
+ Added attributes to return value.
+
+@@ -136,7 +139,7 @@ The :mod:`urlparse` module defines the f
now raise :exc:`ValueError`.
@@ -15,7 +29,7 @@ https://src.fedoraproject.org/rpms/pytho
Parse a query string given as a string argument (data of type
:mimetype:`application/x-www-form-urlencoded`). Data are returned as a
-@@ -157,6 +157,15 @@ The :mod:`urlparse` module defines the f
+@@ -157,6 +160,15 @@ The :mod:`urlparse` module defines the f
read. If set, then throws a :exc:`ValueError` if there are more than
*max_num_fields* fields read.
@@ -31,7 +45,7 @@ https://src.fedoraproject.org/rpms/pytho
Use the :func:`urllib.urlencode` function to convert such dictionaries into
query strings.
-@@ -186,6 +195,9 @@ The :mod:`urlparse` module defines the f
+@@ -186,6 +198,9 @@ The :mod:`urlparse` module defines the f
read. If set, then throws a :exc:`ValueError` if there are more than
*max_num_fields* fields read.
@@ -41,7 +55,7 @@ https://src.fedoraproject.org/rpms/pytho
Use the :func:`urllib.urlencode` function to convert such lists of pairs into
query strings.
-@@ -195,6 +207,7 @@ The :mod:`urlparse` module defines the f
+@@ -195,6 +210,7 @@ The :mod:`urlparse` module defines the f
.. versionchanged:: 2.7.16
Added *max_num_fields* parameter.
@@ -49,3 +63,22 @@ https://src.fedoraproject.org/rpms/pytho
.. function:: urlunparse(parts)
Construct a URL from a tuple as returned by ``urlparse()``. The *parts* argument
+@@ -308,6 +324,10 @@ The :mod:`urlparse` module defines the f
+
+ .. seealso::
+
++ `WHATWG`_ - URL Living standard
++ Working Group for the URL Standard that defines URLs, domains, IP addresses, the
++ application/x-www-form-urlencoded format, and their API.
++
+ :rfc:`3986` - Uniform Resource Identifiers
+ This is the current standard (STD66). Any changes to urlparse module
+ should conform to this. Certain deviations could be observed, which are
+@@ -332,6 +352,7 @@ The :mod:`urlparse` module defines the f
+ :rfc:`1738` - Uniform Resource Locators (URL)
+ This specifies the formal syntax and semantics of absolute URLs.
+
++.. _WHATWG: https://url.spec.whatwg.org/
+
+ .. _urlparse-result-object:
+
Index: pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py
diff -u pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py:1.1 pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py:1.2
--- pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py:1.1 Sun Oct 10 03:00:59 2021
+++ pkgsrc/lang/python27/patches/patch-Lib_test_test__urlparse.py Fri Feb 25 22:41:32 2022
@@ -1,9 +1,13 @@
-$NetBSD: patch-Lib_test_test__urlparse.py,v 1.1 2021/10/10 03:00:59 gutteridge Exp $
+$NetBSD: patch-Lib_test_test__urlparse.py,v 1.2 2022/02/25 22:41:32 gutteridge Exp $
Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
Via Fedora:
https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336.patch
+Fix CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00377-CVE-2022-0391.patch
+
--- Lib/test/test_urlparse.py.orig 2020-04-19 21:13:39.000000000 +0000
+++ Lib/test/test_urlparse.py
@@ -3,6 +3,12 @@ import sys
@@ -130,7 +134,63 @@ https://src.fedoraproject.org/rpms/pytho
def test_roundtrips(self):
testcases = [
('file:///tmp/junk.txt',
-@@ -626,6 +700,132 @@ class UrlParseTestCase(unittest.TestCase
+@@ -544,6 +618,55 @@ class UrlParseTestCase(unittest.TestCase
+ self.assertEqual(p1.path, '863-1234')
+ self.assertEqual(p1.params, 'phone-context=+1-914-555')
+
++ def test_urlsplit_remove_unsafe_bytes(self):
++ # Remove ASCII tabs and newlines from input, for http common case scenario.
++ url = "h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++ p = urlparse.urlsplit(url)
++ self.assertEqual(p.scheme, "http")
++ self.assertEqual(p.netloc, "www.python.org")
++ self.assertEqual(p.path, "/javascript:alert('msg')/")
++ self.assertEqual(p.query, "query=something")
++ self.assertEqual(p.fragment, "fragment")
++ self.assertEqual(p.username, None)
++ self.assertEqual(p.password, None)
++ self.assertEqual(p.hostname, "www.python.org")
++ self.assertEqual(p.port, None)
++ self.assertEqual(p.geturl(), "http://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++ # Remove ASCII tabs and newlines from input as bytes, for http common case scenario.
++ url = b"h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++ p = urlparse.urlsplit(url)
++ self.assertEqual(p.scheme, b"http")
++ self.assertEqual(p.netloc, b"www.python.org")
++ self.assertEqual(p.path, b"/javascript:alert('msg')/")
++ self.assertEqual(p.query, b"query=something")
++ self.assertEqual(p.fragment, b"fragment")
++ self.assertEqual(p.username, None)
++ self.assertEqual(p.password, None)
++ self.assertEqual(p.hostname, b"www.python.org")
++ self.assertEqual(p.port, None)
++ self.assertEqual(p.geturl(), b"http://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++ # any scheme
++ url = "x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++ p = urlparse.urlsplit(url)
++ self.assertEqual(p.geturl(), "x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++ # Remove ASCII tabs and newlines from input as bytes, any scheme.
++ url = b"x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++ p = urlparse.urlsplit(url)
++ self.assertEqual(p.geturl(), b"x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++ # Unsafe bytes is not returned from urlparse cache.
++ # scheme is stored after parsing, sending an scheme with unsafe bytes *will not* return an unsafe scheme
++ url = "https://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++ scheme = "htt\nps"
++ for _ in range(2):
++ p = urlparse.urlsplit(url, scheme=scheme)
++ self.assertEqual(p.scheme, "https")
++ self.assertEqual(p.geturl(), "https://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++
+
+ def test_attributes_bad_port(self):
+ """Check handling of non-integer ports."""
+@@ -626,6 +749,132 @@ class UrlParseTestCase(unittest.TestCase
self.assertEqual(urlparse.urlparse("http://www.python.org:80"),
('http','www.python.org:80','','','',''))
Index: pkgsrc/lang/python27/patches/patch-Lib_urlparse.py
diff -u pkgsrc/lang/python27/patches/patch-Lib_urlparse.py:1.2 pkgsrc/lang/python27/patches/patch-Lib_urlparse.py:1.3
--- pkgsrc/lang/python27/patches/patch-Lib_urlparse.py:1.2 Wed Oct 27 23:58:55 2021
+++ pkgsrc/lang/python27/patches/patch-Lib_urlparse.py Fri Feb 25 22:41:32 2022
@@ -1,9 +1,13 @@
-$NetBSD: patch-Lib_urlparse.py,v 1.2 2021/10/27 23:58:55 gutteridge Exp $
+$NetBSD: patch-Lib_urlparse.py,v 1.3 2022/02/25 22:41:32 gutteridge Exp $
Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
Via Fedora:
https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336.patch
+Fix CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00377-CVE-2022-0391.patch
+
--- Lib/urlparse.py.orig 2020-04-19 21:13:39.000000000 +0000
+++ Lib/urlparse.py
@@ -29,6 +29,7 @@ test_urlparse.py provides a good indicat
@@ -14,7 +18,37 @@ https://src.fedoraproject.org/rpms/pytho
__all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag",
"urlsplit", "urlunsplit", "parse_qs", "parse_qsl"]
-@@ -382,7 +383,8 @@ def unquote(s):
+@@ -62,6 +63,9 @@ scheme_chars = ('abcdefghijklmnopqrstuvw
+ '0123456789'
+ '+-.')
+
++# Unsafe bytes to be removed per WHATWG spec
++_UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n']
++
+ MAX_CACHE_SIZE = 20
+ _parse_cache = {}
+
+@@ -184,12 +188,19 @@ def _checknetloc(netloc):
+ "under NFKC normalization"
+ % netloc)
+
++def _remove_unsafe_bytes_from_url(url):
++ for b in _UNSAFE_URL_BYTES_TO_REMOVE:
++ url = url.replace(b, "")
++ return url
++
+ def urlsplit(url, scheme='', allow_fragments=True):
+ """Parse a URL into 5 components:
+ <scheme>://<netloc>/<path>?<query>#<fragment>
+ Return a 5-tuple: (scheme, netloc, path, query, fragment).
+ Note that we don't break the components up in smaller bits
+ (e.g. netloc is a single string) and we don't expand % escapes."""
++ url = _remove_unsafe_bytes_from_url(url)
++ scheme = _remove_unsafe_bytes_from_url(scheme)
+ allow_fragments = bool(allow_fragments)
+ key = url, scheme, allow_fragments, type(url), type(scheme)
+ cached = _parse_cache.get(key, None)
+@@ -382,7 +393,8 @@ def unquote(s):
append(item)
return ''.join(res)
@@ -24,7 +58,7 @@ https://src.fedoraproject.org/rpms/pytho
"""Parse a query given as a string argument.
Arguments:
-@@ -405,14 +407,23 @@ def parse_qs(qs, keep_blank_values=0, st
+@@ -405,14 +417,23 @@ def parse_qs(qs, keep_blank_values=0, st
"""
dict = {}
for name, value in parse_qsl(qs, keep_blank_values, strict_parsing,
@@ -50,7 +84,7 @@ https://src.fedoraproject.org/rpms/pytho
"""Parse a query given as a string argument.
Arguments:
-@@ -434,15 +445,72 @@ def parse_qsl(qs, keep_blank_values=0, s
+@@ -434,15 +455,72 @@ def parse_qsl(qs, keep_blank_values=0, s
Returns a list, as G-d intended.
"""
Added files:
Index: pkgsrc/lang/python27/patches/patch-Lib_ftplib.py
diff -u /dev/null pkgsrc/lang/python27/patches/patch-Lib_ftplib.py:1.1
--- /dev/null Fri Feb 25 22:41:32 2022
+++ pkgsrc/lang/python27/patches/patch-Lib_ftplib.py Fri Feb 25 22:41:32 2022
@@ -0,0 +1,32 @@
+$NetBSD: patch-Lib_ftplib.py,v 1.1 2022/02/25 22:41:32 gutteridge Exp $
+
+Fix CVE-2021-4189: ftplib should not use the host from the PASV response
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00372-CVE-2021-4189.patch
+
+--- Lib/ftplib.py.orig 2020-04-19 21:13:39.000000000 +0000
++++ Lib/ftplib.py
+@@ -108,6 +108,8 @@ class FTP:
+ file = None
+ welcome = None
+ passiveserver = 1
++ # Disables security if set to True. https://bugs.python.org/issue43285
++ trust_server_pasv_ipv4_address = False
+
+ # Initialization method (called by class instantiation).
+ # Initialize host to localhost, port to standard ftp port
+@@ -310,8 +312,13 @@ class FTP:
+ return sock
+
+ def makepasv(self):
++ """Internal: Does the PASV or EPSV handshake -> (address, port)"""
+ if self.af == socket.AF_INET:
+- host, port = parse227(self.sendcmd('PASV'))
++ untrusted_host, port = parse227(self.sendcmd('PASV'))
++ if self.trust_server_pasv_ipv4_address:
++ host = untrusted_host
++ else:
++ host = self.sock.getpeername()[0]
+ else:
+ host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername())
+ return host, port
Index: pkgsrc/lang/python27/patches/patch-Lib_test_test__ftplib.py
diff -u /dev/null pkgsrc/lang/python27/patches/patch-Lib_test_test__ftplib.py:1.1
--- /dev/null Fri Feb 25 22:41:32 2022
+++ pkgsrc/lang/python27/patches/patch-Lib_test_test__ftplib.py Fri Feb 25 22:41:32 2022
@@ -0,0 +1,56 @@
+$NetBSD: patch-Lib_test_test__ftplib.py,v 1.1 2022/02/25 22:41:32 gutteridge Exp $
+
+Fix CVE-2021-4189: ftplib should not use the host from the PASV response
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00372-CVE-2021-4189.patch
+
+--- Lib/test/test_ftplib.py.orig 2020-04-19 21:13:39.000000000 +0000
++++ Lib/test/test_ftplib.py
+@@ -67,6 +67,10 @@ class DummyFTPHandler(asynchat.async_cha
+ self.rest = None
+ self.next_retr_data = RETR_DATA
+ self.push('220 welcome')
++ # We use this as the string IPv4 address to direct the client
++ # to in response to a PASV command. To test security behavior.
++ # https://bugs.python.org/issue43285/.
++ self.fake_pasv_server_ip = '252.253.254.255'
+
+ def collect_incoming_data(self, data):
+ self.in_buffer.append(data)
+@@ -109,7 +113,8 @@ class DummyFTPHandler(asynchat.async_cha
+ sock.bind((self.socket.getsockname()[0], 0))
+ sock.listen(5)
+ sock.settimeout(10)
+- ip, port = sock.getsockname()[:2]
++ port = sock.getsockname()[1]
++ ip = self.fake_pasv_server_ip
+ ip = ip.replace('.', ',')
+ p1, p2 = divmod(port, 256)
+ self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2))
+@@ -577,6 +582,26 @@ class TestFTPClass(TestCase):
+ # IPv4 is in use, just make sure send_epsv has not been used
+ self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv')
+
++ def test_makepasv_issue43285_security_disabled(self):
++ """Test the opt-in to the old vulnerable behavior."""
++ self.client.trust_server_pasv_ipv4_address = True
++ bad_host, port = self.client.makepasv()
++ self.assertEqual(
++ bad_host, self.server.handler_instance.fake_pasv_server_ip)
++ # Opening and closing a connection keeps the dummy server happy
++ # instead of timing out on accept.
++ socket.create_connection((self.client.sock.getpeername()[0], port),
++ timeout=TIMEOUT).close()
++
++ def test_makepasv_issue43285_security_enabled_default(self):
++ self.assertFalse(self.client.trust_server_pasv_ipv4_address)
++ trusted_host, port = self.client.makepasv()
++ self.assertNotEqual(
++ trusted_host, self.server.handler_instance.fake_pasv_server_ip)
++ # Opening and closing a connection keeps the dummy server happy
++ # instead of timing out on accept.
++ socket.create_connection((trusted_host, port), timeout=TIMEOUT).close()
++
+ def test_line_too_long(self):
+ self.assertRaises(ftplib.Error, self.client.sendcmd,
+ 'x' * self.client.maxline * 2)
Home |
Main Index |
Thread Index |
Old Index