Hello, this rr is only for zeus branch. Thank you so much. -----Original Message----- From: akuster808 <akuster...@gmail.com> Sent: Friday, March 13, 2020 11:36 PM To: Bai, Haiqing <haiqing....@windriver.com>; openembedded-devel@lists.openembedded.org Subject: Re: [oe] [meta-python][zeus][PATCH] python-urllib3/python3-urllib3: fix CVE-2020-7212
On 3/13/20 3:19 AM, Haiqing Bai wrote: > Optimize _encode_invalid_chars for a denial of service (CPU > consumption) is this fix in master? > > Signed-off-by: Haiqing Bai <haiqing....@windriver.com> > --- > .../python/python-urllib3/CVE-2020-7212.patch | 54 > ++++++++++++++++++++++ > .../python/python-urllib3_1.25.6.bb | 2 + > .../python/python3-urllib3/CVE-2020-7212.patch | 54 > ++++++++++++++++++++++ > .../python/python3-urllib3_1.25.6.bb | 2 + > 4 files changed, 112 insertions(+) > create mode 100644 > meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch > create mode 100644 > meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patc > h > > diff --git > a/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.pat > ch > b/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.pat > ch > new file mode 100644 > index 0000000..a2bb0fb > --- /dev/null > +++ b/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212 > +++ .patch > @@ -0,0 +1,54 @@ > +From aff951b7a41eb5b958b32c49eaa00da02adc9c2d Mon Sep 17 00:00:00 > +2001 > +From: Quentin Pradet <quentin.pra...@gmail.com> > +Date: Tue, 21 Jan 2020 22:32:56 +0400 > +Subject: [PATCH] Optimize _encode_invalid_chars (#1787) > + > +Co-authored-by: Seth Michael Larson <sethmichaellar...@gmail.com> > + > +Upstream-Status: Backport > +[from git://github.com/urllib3/urllib3.git commit:a2697e7c6b] > +Signed-off-by: Haiqing Bai <haiqing....@windriver.com> > +--- > + src/urllib3/util/url.py | 15 ++++++--------- > + 1 file changed, 6 insertions(+), 9 deletions(-) > + > +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py index > +9675f74..e353937 100644 > +--- a/src/urllib3/util/url.py > ++++ b/src/urllib3/util/url.py > +@@ -216,18 +216,15 @@ def _encode_invalid_chars(component, allowed_chars, > encoding="utf-8"): > + > + component = six.ensure_text(component) > + > ++ # Normalize existing percent-encoded bytes. > + # Try to see if the component we're encoding is already percent-encoded > + # so we can skip all '%' characters but still encode all others. > +- percent_encodings = PERCENT_RE.findall(component) > +- > +- # Normalize existing percent-encoded bytes. > +- for enc in percent_encodings: > +- if not enc.isupper(): > +- component = component.replace(enc, enc.upper()) > ++ component, percent_encodings = PERCENT_RE.subn( > ++ lambda match: match.group(0).upper(), component > ++ ) > + > + uri_bytes = component.encode("utf-8", "surrogatepass") > +- is_percent_encoded = len(percent_encodings) == uri_bytes.count(b"%") > +- > ++ is_percent_encoded = percent_encodings == uri_bytes.count(b"%") > + encoded_component = bytearray() > + > + for i in range(0, len(uri_bytes)): > +@@ -237,7 +234,7 @@ def _encode_invalid_chars(component, allowed_chars, > encoding="utf-8"): > + if (is_percent_encoded and byte == b"%") or ( > + byte_ord < 128 and byte.decode() in allowed_chars > + ): > +- encoded_component.extend(byte) > ++ encoded_component += byte > + continue > + encoded_component.extend(b"%" + > + (hex(byte_ord)[2:].encode().zfill(2).upper())) > + > +-- > +2.23.0 > + > diff --git > a/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb > b/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb > index 6c81f1d..9f2d2c8 100644 > --- a/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb > +++ b/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb > @@ -1,2 +1,4 @@ > inherit pypi setuptools > require python-urllib3.inc > + > +SRC_URI += "file://CVE-2020-7212.patch" > diff --git > a/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.pa > tch > b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.pa > tch > new file mode 100644 > index 0000000..a2bb0fb > --- /dev/null > +++ b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-721 > +++ 2.patch > @@ -0,0 +1,54 @@ > +From aff951b7a41eb5b958b32c49eaa00da02adc9c2d Mon Sep 17 00:00:00 > +2001 > +From: Quentin Pradet <quentin.pra...@gmail.com> > +Date: Tue, 21 Jan 2020 22:32:56 +0400 > +Subject: [PATCH] Optimize _encode_invalid_chars (#1787) > + > +Co-authored-by: Seth Michael Larson <sethmichaellar...@gmail.com> > + > +Upstream-Status: Backport > +[from git://github.com/urllib3/urllib3.git commit:a2697e7c6b] > +Signed-off-by: Haiqing Bai <haiqing....@windriver.com> > +--- > + src/urllib3/util/url.py | 15 ++++++--------- > + 1 file changed, 6 insertions(+), 9 deletions(-) > + > +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py index > +9675f74..e353937 100644 > +--- a/src/urllib3/util/url.py > ++++ b/src/urllib3/util/url.py > +@@ -216,18 +216,15 @@ def _encode_invalid_chars(component, allowed_chars, > encoding="utf-8"): > + > + component = six.ensure_text(component) > + > ++ # Normalize existing percent-encoded bytes. > + # Try to see if the component we're encoding is already percent-encoded > + # so we can skip all '%' characters but still encode all others. > +- percent_encodings = PERCENT_RE.findall(component) > +- > +- # Normalize existing percent-encoded bytes. > +- for enc in percent_encodings: > +- if not enc.isupper(): > +- component = component.replace(enc, enc.upper()) > ++ component, percent_encodings = PERCENT_RE.subn( > ++ lambda match: match.group(0).upper(), component > ++ ) > + > + uri_bytes = component.encode("utf-8", "surrogatepass") > +- is_percent_encoded = len(percent_encodings) == uri_bytes.count(b"%") > +- > ++ is_percent_encoded = percent_encodings == uri_bytes.count(b"%") > + encoded_component = bytearray() > + > + for i in range(0, len(uri_bytes)): > +@@ -237,7 +234,7 @@ def _encode_invalid_chars(component, allowed_chars, > encoding="utf-8"): > + if (is_percent_encoded and byte == b"%") or ( > + byte_ord < 128 and byte.decode() in allowed_chars > + ): > +- encoded_component.extend(byte) > ++ encoded_component += byte > + continue > + encoded_component.extend(b"%" + > + (hex(byte_ord)[2:].encode().zfill(2).upper())) > + > +-- > +2.23.0 > + > diff --git > a/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb > b/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb > index 19eb702..e3583a0 100644 > --- a/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb > +++ b/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb > @@ -1,2 +1,4 @@ > inherit pypi setuptools3 > require python-urllib3.inc > + > +SRC_URI += "file://CVE-2020-7212.patch" -- _______________________________________________ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel