PR#17: Fix for CVE-2021-33503 Catastrophic backtracking in URL authority parser - rpms/python-urllib3

rpms / python-urllib3

#17 Fix for CVE-2021-33503 Catastrophic backtracking in URL authority parser

Merged 2 years ago by kevin. Opened 2 years ago by lbalhar.

rpms/ lbalhar/python-urllib3 f33 into f33

Fix for CVE-2021-33503 Catastrophic backtracking in URL authority parser

Lumir Balhar • 2 years ago

804aae4

CVE-2021-33503.patch

file added

+64

		`@@ -0,0 +1,64 @@`
		`+ From d5e3238b87fc557600618f18179e821a4a1c7577 Mon Sep 17 00:00:00 2001`
		`+ From: Lumir Balhar <lbalhar@redhat.com>`
		`+ Date: Tue, 29 Jun 2021 16:03:37 +0200`
		`+ Subject: [PATCH] CVE-2021-33503`
		`+`
		`+ ---`
		`+ src/urllib3/util/url.py \| 8 +++++---`
		`+ test/test_util.py \| 10 ++++++++++`
		`+ 2 files changed, 15 insertions(+), 3 deletions(-)`
		`+`
		`+ diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py`
		`+ index 8ef5a23..7fb2650 100644`
		`+ --- a/src/urllib3/util/url.py`
		`+ +++ b/src/urllib3/util/url.py`
		`+ @@ -63,12 +63,12 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$")`
		`+ BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$")`
		`+ ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$")`
		`+`
		`+ -SUBAUTHORITY_PAT = (u"^(?:(.*)@)?(%s\|%s\|%s)(?::([0-9]{0,5}))?$") % (`
		`+ +_HOST_PORT_PAT = ("^(%s\|%s\|%s)(?::([0-9]{0,5}))?$") % (`
		`+ REG_NAME_PAT,`
		`+ IPV4_PAT,`
		`+ IPV6_ADDRZ_PAT,`
		`+ )`
		`+ -SUBAUTHORITY_RE = re.compile(SUBAUTHORITY_PAT, re.UNICODE \| re.DOTALL)`
		`+ +_HOST_PORT_RE = re.compile(_HOST_PORT_PAT, re.UNICODE \| re.DOTALL)`
		`+`
		`+ UNRESERVED_CHARS = set(`
		`+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-~"`
		`+ @@ -365,7 +365,9 @@ def parse_url(url):`
		`+ scheme = scheme.lower()`
		`+`
		`+ if authority:`
		`+ - auth, host, port = SUBAUTHORITY_RE.match(authority).groups()`
		`+ + auth, _, host_port = authority.rpartition("@")`
		`+ + auth = auth or None`
		`+ + host, port = _HOST_PORT_RE.match(host_port).groups()`
		`+ if auth and normalize_uri:`
		`+ auth = _encode_invalid_chars(auth, USERINFO_CHARS)`
		`+ if port == "":`
		`+ diff --git a/test/test_util.py b/test/test_util.py`
		`+ index 42c3882..04c90b0 100644`
		`+ --- a/test/test_util.py`
		`+ +++ b/test/test_util.py`
		`+ @@ -425,6 +425,16 @@ class TestUtil(object):`
		`+ query="%0D%0ASET%20test%20failure12%0D%0A:8080/test/?test=a",`
		`+ ),`
		`+ ),`
		`+ + # Tons of '@' causing backtracking`
		`+ + ("https://" + ("@" * 10000) + "[", False),`
		`+ + (`
		`+ + "https://user:" + ("@" * 10000) + "example.com",`
		`+ + Url(`
		`+ + scheme="https",`
		`+ + auth="user:" + ("%40" * 9999),`
		`+ + host="example.com",`
		`+ + ),`
		`+ + ),`
		`+ ]`
		`+`
		`+ @pytest.mark.parametrize("url, expected_url", url_vulnerabilities)`
		`+ --`
		`+ 2.31.1`
		`+`

python-urllib3.spec

file modified

+28 -1

		`@@ -5,7 +5,7 @@`

		`Name: python-%{srcname}`
		`Version: 1.25.8`
		`- Release: 4%{?dist}`
		`+ Release: 5%{?dist}`
		`Summary: Python HTTP library with thread-safe connection pooling and file post`

		`License: MIT`
		`@@ -13,6 +13,10 @@`
		`Source0: %{url}/archive/%{version}/%{srcname}-%{version}.tar.gz`
		`# Unbundle ssl_match_hostname since we depend on it`
		`Source1: ssl_match_hostname_py3.py`
		`+ # CVE-2021-33503 Catastrophic backtracking in URL authority parser`
		`+ # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1968074`
		`+ # Upstream fix: https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec`
		`+ Patch0: CVE-2021-33503.patch`
		`BuildArch: noarch`

		`%description`
		`@@ -45,6 +49,24 @@`

		`%prep`
		`%autosetup -p1 -n %{srcname}-%{version}`
		`+ # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is.`
		`+ # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date`
		`+ # (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either,`
		`+ # since a user's system time could be set to a little in the past from what build time is (because of timezones,`
		`+ # corner cases, etc). As stated in the comment in src/urllib3/connection.py:`
		`+ # When updating RECENT_DATE, move it to within two years of the current date,`
		`+ # and not less than 6 months ago.`
		`+ # Example: if Today is 2018-01-01, then RECENT_DATE should be any date on or`
		`+ # after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months)`
		`+ # There is also a test_ssl_wrong_system_time test (from test/with_dummyserver/test_https.py) that tests if`
		`+ # user's system time isn't set as too far in the past, because it could lead to SSL verification errors.`
		`+ # That is why we need RECENT_DATE to be set at most 2 years ago (or else test_ssl_wrong_system_time would`
		`+ # result in false positive), but before at least 6 month ago (so this test could tolerate user's system time being`
		`+ # set to some time in the past, but not to far away from the present).`
		`+ # Next few lines update RECENT_DATE dynamically.`
		`+ recent_date=$(date --date "7 month ago" +"%Y, %_m, %_d")`
		`+ sed -i "s/^RECENT_DATE = datetime.date(.*)/RECENT_DATE = datetime.date($recent_date)/" src/urllib3/connection.py`
		`+`
		`# Drop the dummyserver tests in koji. They fail there in real builds, but not`
		`# in scratch builds (weird).`
		`rm -rf test/with_dummyserver/`
		`@@ -95,6 +117,11 @@`


		`%changelog`
		`+ * Tue Jun 29 2021 Lumír Balhar <lbalhar@redhat.com> - 1.25.8-5`
		`+ - Fix for CVE-2021-33503 Catastrophic backtracking in URL authority parser`
		`+ Resolves: rhbz#1968076`
		`+ - Update RECENT_DATE dynamically`
		`+`
		`* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.25.8-4`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild`

lbalhar commented 2 years ago

I had to backport also one commit from rawhide to make tests pass. The patch is rebased. The fix is verified by upstream test from the patch itself and also manually:

Old python3-urllib3-1.25.8-4.fc33.noarch

# time python3 poc.py 
OK

real    0m6.597s
user    0m6.482s
sys 0m0.027s

New python3-urllib3-1.25.8-5.fc33.noarch

# time python3 poc.py 
OK

real    0m0.211s
user    0m0.138s
sys 0m0.037s

kevin commented 2 years ago

Looks great to me! Thanks.

Pull-Request has been merged by kevin

2 years ago

churchyard commented 2 years ago

@kevin I wonder whether you could add @python-sig as a co-maintainer here?

kevin commented 2 years ago

Happy to!

churchyard commented 2 years ago

Thanks!

Metadata

Assignee

None

Tags

No Tags

Changes Summary 2

+64

file added