Differential D7107

Python 3.3 fix for CVE-2016-5699 backported from 3.4
ClosedPublic
Actions

Authored by vlad-fbsd_acheronmedia.com on Jul 5 2016, 12:29 PM.

Details

Reviewers

koobs

Group Reviewers

Python

Commits

rP427246: lang/python33: Fix HTTP Header injection vulnerability

Summary

This is a backport of fix for CVE-2016-5699 from Python 3.4 to 3.3, from upstream. The issue is explained in this PR: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210539

Upstream patch for 3.4 is here: https://hg.python.org/cpython/rev/bf3e1c9b80e9

Modifications that were required to have it run on 3.3 were minimal:

lang/python33/files/patch-Lib_http_client.py: re.fullmatch() does not exist, so re.match is used with anchors
lang/python33/files/patch-Lib_test_test__httplib.py: in test_invalid_headers() , TestCase.subTest() was thrown out in favor of simple asserts (if one fails, whole test fails)
NEWS item was not backported

Diff Detail

Repository

rP FreeBSD ports repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

vlad-fbsd_acheronmedia.com updated this revision to Diff 18142.Jul 5 2016, 12:29 PM

vlad-fbsd_acheronmedia.com retitled this revision from to Python 3.3 fix for CVE-2016-5699 backported from 3.4.

vlad-fbsd_acheronmedia.com updated this object.

vlad-fbsd_acheronmedia.com edited the test plan for this revision. (Show Details)

vlad-fbsd_acheronmedia.com added a reviewer: Python.

vlad-fbsd_acheronmedia.com set the repository for this revision to rP FreeBSD ports repository.

Herald added a subscriber: mat. · View Herald TranscriptJul 5 2016, 12:29 PM

@vlad-fbsd_acheronmedia.com can you please add upstream links/references as comments to the headers of these patches please (include issue and commit links if both exist)