These warnings became fatal by default in Clang 16.
Most of this has since been fixed upstream but
https://github.com/python/cpython/pull/99085 is pending.
Signed-off-by: Sam James <sam@gentoo.org>
Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and
urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which
allowed to bypass authorization. For example, access to URI "example.org/foobar"
was allowed if the user was authorized for URI "example.org/foo".
(rebased for 2.7 by Michał Górny)
Curly brackets were never allowed in namespace URIs
according to RFC 3986, and so-called namespace-validating
XML parsers have the right to reject them a invalid URIs.
libexpat >=2.4.5 has become strcter in that regard due to
related security issues; with ET.XML instantiating a
namespace-aware parser under the hood, this test has no
future in CPython.
References:
- https://datatracker.ietf.org/doc/html/rfc3968
- https://www.w3.org/TR/xml-names/
Also, test_minidom.py: Support Expat >=2.4.5
(rebased for 2.7.18 by Michał Górny)
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c9227df5a9)
Co-authored-by: E-Paine <63801254+E-Paine@users.noreply.github.com>
(updated for Python 2.7 by Michał Górny)
Co-authored-by: Miguel Brito <5544985+miguendes@users.noreply.github.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit 0897253f42)
(updated for 2.7 by Michał Górny)
Backport the fix from the following commit:
commit 47895e31b6
Author: Gen Xu <xgbarry@gmail.com>
Date: 2021-05-06 00:42:41 +0200
bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 Continue (GH-25916)
Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Instead of reusing the header reading code, I have just added explicit
counter to avoid having to refactor the old code.
Plus the improved test from:
commit e60ab843cb
Author: Gregory P. Smith <greg@krypto.org>
Date: 2021-06-03 05:43:38 +0200
bpo-44022: Improve the regression test. (GH-26503)
It wasn't actually detecting the regression due to the
assertion being too lenient.
* bpo-43882 - urllib.parse should sanitize urls containing ASCII newline and tabs. (GH-25595)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 76cd81d603)
Co-authored-by: Senthil Kumaran <skumaran@gatech.edu>
(backported to Python 2.7 by Michał Górny)
Fix Regular Expression Denial of Service (ReDoS) vulnerability in
urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
has quadratic worst-case complexity and it allows cause a denial of
service when identifying crafted invalid RFCs. This ReDoS issue is on
the client side and needs remote attackers to control the HTTP server.
(cherry picked from commit 7215d1ae25)
Co-authored-by: Yeting Li <liyt@ios.ac.cn>
(backported to Python 2.7 by Michał Górny)
The IPv4 address value returned from the server in response to the PASV command
should not be trusted. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the client network.
Instead of using the returned address, we use the IP address we're
already connected to. This is the strategy other ftp clients adopted,
and matches the only strategy available for the modern IPv6 EPSV command
where the server response must return a port number and nothing else.
For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address`
attribute on your `ftplib.FTP` instance to True..
(cherry picked from commit 0ab152c6b5)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 664d1d1627)
Rebased for Python 2.7 by Michał Górny <mgorny@gentoo.org>
bpo-42967: [security] Address a web cache-poisoning issue reported in
urllib.parse.parse_qsl().
urllib.parse will only us "&" as query string separator by default
instead of both ";" and "&" as allowed in earlier versions. An optional
argument seperator with default value "&" is added to specify the
separator.
Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
Rebased for Python 2.7 by Michał Górny
(cherry picked from commit 916610ef90)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
Rebased for Python 2.7 by Michał Górny <mgorny@gentoo.org>
The existing volatile `left`/`right` pointers guarantee that the reads will all occur, but does not guarantee that they will be _used_. So a compiler can still short-circuit the loop, saving e.g. the overhead of doing the xors and especially the overhead of the data dependency between `result` and the reads. That would change performance depending on where the first unequal byte occurs. This change removes that optimization.
(This is change GH-1 from https://bugs.python.org/issue40791 .)
(cherry picked from commit 31729366e2)
Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com>
Rebased for Python 2.7 by Michał Górny <mgorny@gentoo.org>
(cherry picked from commit 2ef5caa58f)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Rebased for Python 2.7 by Michał Górny <mgorny@gentoo.org>
Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
(cherry picked from commit e512bc799e)
Co-authored-by: Ned Deily <nad@python.org>
Rebased for Python 2.7 by Michał Górny <mgorny@gentoo.org>
reject control chars in http method in http.client.putrequest to prevent http header injection
(cherry picked from commit 8ca8a2e8fb)
Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
[rebased for py2.7]
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben Caller
and Matt Schwager.
AbstractBasicAuthHandler of urllib.request now parses all
WWW-Authenticate HTTP headers and accepts multiple challenges per
header: use the realm of the first Basic challenge.
Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 0b297d4ff1)
[rebased for py2.7]
Nedko Arnaudov
Sam James
Michał Górny
Mike Gilbert
Sebastian Pipping
Miss Islington (bot)
Senthil Kumaran
Benjamin Peterson
Rishi
Leonard Richardson
Ned Deily