[Git][java-team/jython][master] CVE-2019-16935

Thu Dec 29 11:31:17 GMT 2022


Gilles Filippini pushed to branch master at Debian Java Maintainers / jython


Commits:
eaf508ca by Gilles Filippini at 2022-12-29T12:20:14+01:00
CVE-2019-16935

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2019-16935.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+jython (2.7.2+repack1-5) unstable; urgency=medium
+
+  * CVE-2019-16935 (closes: #1027149)
+
+ -- Gilles Filippini <pini at debian.org>  Thu, 29 Dec 2022 12:00:40 +0100
+
 jython (2.7.2+repack1-4) unstable; urgency=medium
 
   * Build-Depends: antlr3 (instead of antlr3.2; Closes: #995188)


=====================================
debian/patches/CVE-2019-16935.patch
=====================================
@@ -0,0 +1,75 @@
+Description: fix CVE-2019-16935
+ Escape the server title of DocXMLRPCServer when rendering the
+ document page as HTML.
+ .
+ Patch backported from cython commit 8eb6415
+Origin: https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027149
+Index: jython/lib-python/2.7/DocXMLRPCServer.py
+===================================================================
+--- jython.orig/lib-python/2.7/DocXMLRPCServer.py
++++ jython/lib-python/2.7/DocXMLRPCServer.py
+@@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXM
+             CGIXMLRPCRequestHandler,
+             resolve_dotted_attribute)
+ 
++
++def _html_escape_quote(s):
++    s = s.replace("&", "&") # Must be done first!
++    s = s.replace("<", "<")
++    s = s.replace(">", ">")
++    s = s.replace('"', """)
++    s = s.replace('\'', "&#x27;")
++    return s
++
++
+ class ServerHTMLDoc(pydoc.HTMLDoc):
+     """Class used to generate pydoc HTML document for a server"""
+ 
+@@ -210,7 +220,8 @@ class XMLRPCDocGenerator:
+                                 methods
+                             )
+ 
+-        return documenter.page(self.server_title, documentation)
++        title = _html_escape_quote(self.server_title)
++        return documenter.page(title, documentation)
+ 
+ class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
+     """XML-RPC and documentation request handler class.
+Index: jython/lib-python/2.7/test/test_docxmlrpc.py
+===================================================================
+--- jython.orig/lib-python/2.7/test/test_docxmlrpc.py
++++ jython/lib-python/2.7/test/test_docxmlrpc.py
+@@ -1,5 +1,6 @@
+ from DocXMLRPCServer import DocXMLRPCServer
+ import httplib
++import re
+ import sys
+ from test import test_support
+ threading = test_support.import_module('threading')
+@@ -194,6 +195,25 @@ class DocXMLRPCHTTPGETServer(unittest.Te
+         self.assertIn("""Try self.<strong>add</strong>, too.""",
+                       response.read())
+ 
++    def test_server_title_escape(self):
++        """Test that the server title and documentation
++        are escaped for HTML.
++        """
++        self.serv.set_server_title('test_title<script>')
++        self.serv.set_server_documentation('test_documentation<script>')
++        self.assertEqual('test_title<script>', self.serv.server_title)
++        self.assertEqual('test_documentation<script>',
++                self.serv.server_documentation)
++
++        generated = self.serv.generate_html_documentation()
++        title = re.search(r'<title>(.+?)</title>', generated).group()
++        documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
++        self.assertEqual('<title>Python: test_title<script></title>',
++                title)
++        self.assertEqual('<p><tt>test_documentation<script></tt></p>',
++                documentation)
++
++
+ def test_main():
+     test_support.run_unittest(DocXMLRPCHTTPGETServer)
+ 


=====================================
debian/patches/series
=====================================
@@ -5,3 +5,4 @@ javadoc-classpath.patch
 reproducible-builds.patch
 08-java-backward-compatibility.patch
 antlr-getEOFToken.patch
+CVE-2019-16935.patch



View it on GitLab: https://salsa.debian.org/java-team/jython/-/commit/eaf508cac9fc5fcea06316d35932d24ae15ab158

-- 
View it on GitLab: https://salsa.debian.org/java-team/jython/-/commit/eaf508cac9fc5fcea06316d35932d24ae15ab158
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20221229/fd66f444/attachment.htm>
