Page MenuHomeFreeBSD
Differential D7107

Python 3.3 fix for CVE-2016-5699 backported from 3.4
ClosedPublic
Actions

Authored by vlad-fbsd_acheronmedia.com on Jul 5 2016, 12:29 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Sep 24, 7:32 AM
Unknown Object (File)
Fri, Sep 19, 4:28 PM
Unknown Object (File)
Thu, Sep 18, 8:22 PM
Unknown Object (File)
Thu, Sep 18, 8:54 AM
Unknown Object (File)
Thu, Sep 18, 2:57 AM
Unknown Object (File)
Wed, Sep 17, 8:08 AM
Unknown Object (File)
Fri, Sep 12, 2:16 AM
Unknown Object (File)
Sep 5 2025, 11:08 PM
View All Files
Subscribers
brnrd
koobs
mat
robak

Details

Reviewers
koobs
Group Reviewers
Python
Commits
rP427246: lang/python33: Fix HTTP Header injection vulnerability
Summary

This is a backport of fix for CVE-2016-5699 from Python 3.4 to 3.3, from upstream. The issue is explained in this PR: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210539

Upstream patch for 3.4 is here: https://hg.python.org/cpython/rev/bf3e1c9b80e9

Modifications that were required to have it run on 3.3 were minimal:

  • lang/python33/files/patch-Lib_http_client.py: re.fullmatch() does not exist, so re.match is used with anchors
  • lang/python33/files/patch-Lib_test_test__httplib.py: in test_invalid_headers() , TestCase.subTest() was thrown out in favor of simple asserts (if one fails, whole test fails)
  • NEWS item was not backported

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

vlad-fbsd_acheronmedia.com updated this revision to Diff 18142.Jul 5 2016, 12:29 PM
vlad-fbsd_acheronmedia.com retitled this revision from to Python 3.3 fix for CVE-2016-5699 backported from 3.4.
vlad-fbsd_acheronmedia.com updated this object.
vlad-fbsd_acheronmedia.com edited the test plan for this revision. (Show Details)
vlad-fbsd_acheronmedia.com added a reviewer: Python.
vlad-fbsd_acheronmedia.com set the repository for this revision to rP FreeBSD ports repository.
Herald added a subscriber: mat. · View Herald TranscriptJul 5 2016, 12:29 PM
koobs added a subscriber: koobs.Jul 10 2016, 5:47 AM

@vlad-fbsd_acheronmedia.com can you please add upstream links/references as comments to the headers of these patches please (include issue and commit links if both exist)

koobs added a subscriber: brnrd.Jul 26 2016, 5:15 AM

@brnrd Can you take care of this if it hasn't been already?

robak added a subscriber: robak.Jul 27 2016, 10:12 AM

LGTM.

vlad-fbsd_acheronmedia.com updated this revision to Diff 18803.Jul 27 2016, 11:08 AM

Add patch comment/header from upstream.

koobs added a reviewer: koobs.Nov 25 2016, 12:56 PM
Closed by commit rP427246: lang/python33: Fix HTTP Header injection vulnerability (authored by brnrd). · Explain WhyNov 27 2016, 4:52 PM
This revision was automatically updated to reflect the committed changes.
brnrd mentioned this in rP427246: lang/python33: Fix HTTP Header injection vulnerability.
brnrd mentioned this in rP427371: MFH: r427246.Nov 29 2016, 9:36 AM

Revision Contents
Changeset List

PathSize
lang/
python33/
2 lines
files/
76 lines
80 lines

Diff 18803

View Options

lang/python33/Makefile

Loading...
View Options

lang/python33/files/patch-Lib_http_client.py

Loading...
View Options

lang/python33/files/patch-Lib_test_test__httplib.py

Loading...