diff options
| author | Leo Famulari <leo@famulari.name> | 2022-02-06 23:18:52 -0500 |
|---|---|---|
| committer | Leo Famulari <leo@famulari.name> | 2022-02-16 11:57:14 -0500 |
| commit | d2bb4847b96e51b71126778bb16daa7674a6690c (patch) | |
| tree | 30b42d5f903857a55e30fb1756a52c0f475ebc60 /gnu/packages/patches/python-CVE-2020-26116.patch | |
| parent | 5fffd8352b97295303c4782a5835566338119382 (diff) | |
| download | guix-d2bb4847b96e51b71126778bb16daa7674a6690c.tar.gz | |
gnu: Remove leftover patch files.
These patches aren't used anywhere in Guix and we forgot to remove them. * gnu/packages/patches/bash-reproducible-linux-pgrp-pipe.patch, gnu/packages/patches/ghc-monad-par-fix-tests.patch, gnu/packages/patches/glibc-CVE-2018-11236.patch, gnu/packages/patches/glibc-CVE-2018-11237.patch, gnu/packages/patches/glibc-hurd-magic-pid.patch, gnu/packages/patches/grocsvs-dont-use-admiral.patch, gnu/packages/patches/hydra-disable-darcs-test.patch, gnu/packages/patches/inkscape-poppler-0.76.patch, gnu/packages/patches/libvirt-create-machine-cgroup.patch, gnu/packages/patches/linux-libre-arm64-generic-pinebook-lcd.patch, gnu/packages/patches/marble-qt-add-qt-headers.patch, gnu/packages/patches/maven-enforcer-api-fix-old-dependencies.patch, gnu/packages/patches/mescc-tools-boot.patch, gnu/packages/patches/nettle-3.5-CVE-2021-3580-pt1.patch, gnu/packages/patches/nettle-3.5-CVE-2021-3580-pt2.patch, gnu/packages/patches/nettle-3.5-check-_pkcs1_sec_decrypt-msg-len.patch, gnu/packages/patches/ocaml-Add-a-.file-directive.patch, gnu/packages/patches/ocaml-CVE-2015-8869.patch, gnu/packages/patches/ocaml-bitstring-fix-configure.patch, gnu/packages/patches/ocaml-enable-ocamldoc-reproducibility.patch, gnu/packages/patches/openbabel-fix-crash-on-nwchem-output.patch, gnu/packages/patches/openjdk-14-builtins.patch, gnu/packages/patches/openssl-c-rehash-in.patch, gnu/packages/patches/openssl-runpath.patch, gnu/packages/patches/passwordsafe-meson-remove-extra-argument.patch, gnu/packages/patches/patchutils-test-perms.patch, gnu/packages/patches/python-CVE-2018-14647.patch, gnu/packages/patches/python-CVE-2020-26116.patch, gnu/packages/patches/python-axolotl-AES-fix.patch, gnu/packages/patches/python-babel-fix-parse-future-test.patch, gnu/packages/patches/python-matplotlib-run-under-wayland-gtk3.patch, gnu/packages/patches/python-pytest-asyncio-python-3.8.patch, gnu/packages/patches/python2-larch-coverage-4.0a6-compatibility.patch, gnu/packages/patches/qt4-ldflags.patch, gnu/packages/patches/rust-coresimd-doctest.patch, gnu/packages/patches/streamlink-update-test.patch, gnu/packages/patches/tcc-boot-0.9.27.patch, gnu/packages/patches/vtk-8-fix-freetypetools-build-failure.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them.
Diffstat (limited to 'gnu/packages/patches/python-CVE-2020-26116.patch')
| -rw-r--r-- | gnu/packages/patches/python-CVE-2020-26116.patch | 47 |
1 files changed, 0 insertions, 47 deletions
diff --git a/gnu/packages/patches/python-CVE-2020-26116.patch b/gnu/packages/patches/python-CVE-2020-26116.patch deleted file mode 100644 index dc0571e964..0000000000 --- a/gnu/packages/patches/python-CVE-2020-26116.patch +++ /dev/null @@ -1,47 +0,0 @@ -Fix CVE-2020-26116: - -https://cve.circl.lu/cve/CVE-2020-26116 -https://bugs.python.org/issue39603 - -Taken from upstream (sans test and NEWS update): -https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf - -diff --git a/Lib/http/client.py b/Lib/http/client.py ---- a/Lib/http/client.py -+++ b/Lib/http/client.py -@@ -147,6 +147,10 @@ - # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") - # We are more lenient for assumed real world compatibility purposes. - -+# These characters are not allowed within HTTP method names -+# to prevent http header injection. -+_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') -+ - # We always set the Content-Length header for these methods because some - # servers will otherwise respond with a 411 - _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} -@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False, - else: - raise CannotSendRequest(self.__state) - -+ self._validate_method(method) -+ - # Save the method for use later in the response phase - self._method = method - -@@ -1177,6 +1183,15 @@ def _encode_request(self, request): - # ASCII also helps prevent CVE-2019-9740. - return request.encode('ascii') - -+ def _validate_method(self, method): -+ """Validate a method name for putrequest.""" -+ # prevent http header injection -+ match = _contains_disallowed_method_pchar_re.search(method) -+ if match: -+ raise ValueError( -+ f"method can't contain control characters. {method!r} " -+ f"(found at least {match.group()!r})") -+ - def _validate_path(self, url): - """Validate a url for putrequest.""" - # Prevent CVE-2019-9740. |