Fix IPv6 parsing

Resolves: rhbz#2133805 - fix for CVE-2022-36087
2022-10-24 14:04:51 +02:00 · 2022-10-24 14:04:51 +02:00 · 7253680681
commit 7253680681
parent 66e06ec893
2 changed files with 101 additions and 4 deletions
--- a/0003-IPV6-regex-redirect_uri.patch
+++ b/0003-IPV6-regex-redirect_uri.patch
@ -0,0 +1,95 @@
+diff -up oauthlib-3.1.1/oauthlib/uri_validate.py.orig oauthlib-3.1.1/oauthlib/uri_validate.py
+--- oauthlib-3.1.1/oauthlib/uri_validate.py.orig	2021-06-01 21:11:24.000000000 +0200
+++ oauthlib-3.1.1/oauthlib/uri_validate.py	2022-10-24 14:42:42.147180444 +0200
+@@ -66,7 +66,7 @@ IPv4address = r"%(dec_octet)s \. %(dec_o
+ )
+ 
+ #   IPv6address
+-IPv6address = r"([A-Fa-f0-9:]+:+)+[A-Fa-f0-9]+"
+IPv6address = r"([A-Fa-f0-9:]+[:$])[A-Fa-f0-9]{1,4}"
+ 
+ #   IPvFuture     = "v" 1*HEXDIG "." 1*( unreserved / sub-delims / ":" )
+ IPvFuture = r"v %(HEXDIG)s+ \. (?: %(unreserved)s | %(sub_delims)s | : )+" % locals()
+diff -up oauthlib-3.1.1/tests/test_uri_validate.py.orig oauthlib-3.1.1/tests/test_uri_validate.py
+--- oauthlib-3.1.1/tests/test_uri_validate.py.orig	2021-06-01 21:11:24.000000000 +0200
+++ oauthlib-3.1.1/tests/test_uri_validate.py	2022-10-24 14:44:26.180296911 +0200
+@@ -1,4 +1,4 @@
+-import oauthlib
+import unittest
+ from oauthlib.uri_validate import is_absolute_uri
+ 
+ from tests.unittest import TestCase
+@@ -7,7 +7,6 @@ from tests.unittest import TestCase
+ class UriValidateTest(TestCase):
+ 
+     def test_is_absolute_uri(self):
+-
+         self.assertIsNotNone(is_absolute_uri('schema://example.com/path'))
+         self.assertIsNotNone(is_absolute_uri('https://example.com/path'))
+         self.assertIsNotNone(is_absolute_uri('https://example.com'))
+@@ -17,17 +16,64 @@ class UriValidateTest(TestCase):
+         self.assertIsNotNone(is_absolute_uri('http://example.com'))
+         self.assertIsNotNone(is_absolute_uri('http://example.com/path'))
+         self.assertIsNotNone(is_absolute_uri('http://example.com:80/path'))
+-        self.assertIsNotNone(is_absolute_uri('com.example.bundle.id:/'))
+
+    def test_query(self):
+        self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo'))
+        self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo=bar'))
+        self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo=bar&fruit=banana'))
+
+    def test_fragment_forbidden(self):
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo=bar'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo=bar&fruit=banana'))
+
+    def test_combined_forbidden(self):
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo#bar'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo&bar#fruit'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo=1&bar#fruit=banana'))
+        self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo=1&bar=2#fruit=banana&bar=foo'))
+
+    def test_custom_scheme(self):
+        self.assertIsNotNone(is_absolute_uri('com.example.bundle.id://'))
+
+    def test_ipv6_bracket(self):
+         self.assertIsNotNone(is_absolute_uri('http://[::1]:38432/path'))
+         self.assertIsNotNone(is_absolute_uri('http://[::1]/path'))
+         self.assertIsNotNone(is_absolute_uri('http://[fd01:0001::1]/path'))
+         self.assertIsNotNone(is_absolute_uri('http://[fd01:1::1]/path'))
+         self.assertIsNotNone(is_absolute_uri('http://[0123:4567:89ab:cdef:0123:4567:89ab:cdef]/path'))
+        self.assertIsNotNone(is_absolute_uri('http://[0123:4567:89ab:cdef:0123:4567:89ab:cdef]:8080/path'))
+
+    @unittest.skip("ipv6 edge-cases not supported")
+    def test_ipv6_edge_cases(self):
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8::'))
+        self.assertIsNotNone(is_absolute_uri('http://::1234:5678'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8::1234:5678'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:5555:6666:7777:8888'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF'))
+        self.assertIsNotNone(is_absolute_uri('http://0123:4567:89ab:cdef:0123:4567:89ab:cdef/path'))
+        self.assertIsNotNone(is_absolute_uri('http://::'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:0db8:0001:0000:0000:0ab9:C0A8:0102'))
+
+    @unittest.skip("ipv6 dual ipv4 not supported")
+    def test_ipv6_dual(self):
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:5555:6666:1.2.3.4'))
+        self.assertIsNotNone(is_absolute_uri('http://::11.22.33.44'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8::123.123.123.123'))
+        self.assertIsNotNone(is_absolute_uri('http://::1234:5678:91.123.4.56'))
+        self.assertIsNotNone(is_absolute_uri('http://::1234:5678:1.2.3.4'))
+        self.assertIsNotNone(is_absolute_uri('http://2001:db8::1234:5678:5.6.7.8'))
+
+    def test_ipv4(self):
+         self.assertIsNotNone(is_absolute_uri('http://127.0.0.1:38432/'))
+         self.assertIsNotNone(is_absolute_uri('http://127.0.0.1:38432/'))
+         self.assertIsNotNone(is_absolute_uri('http://127.1:38432/'))
+ 
+    def test_failures(self):
+         self.assertIsNone(is_absolute_uri('http://example.com:notaport/path'))
+         self.assertIsNone(is_absolute_uri('wrong'))
+         self.assertIsNone(is_absolute_uri('http://[:1]:38432/path'))
+         self.assertIsNone(is_absolute_uri('http://[abcd:efgh::1]/'))
+
+    def test_malitious_semicolon(self):
+        self.assertIsNone(is_absolute_uri('http://[::::::::::::::::::::::::::]/path'))
--- a/python-oauthlib.spec
+++ b/python-oauthlib.spec
@ -2,7 +2,7 @@

 Name:               python-oauthlib
 Version:            3.1.1
-Release:            3%{?dist}
+Release:            4%{?dist}
 Summary:            An implementation of the OAuth request-signing logic

 License:            BSD
@ -11,6 +11,7 @@ URL:                https://github.com/oauthlib/oauthlib
 Source0:            https://github.com/oauthlib/oauthlib/archive/v%{version}/%{modname}-%{version}.tar.gz
 Patch0001:          0001-Rip-out-RSA-SHA1.patch
 Patch0002:          0002-Rip-out-the-rest-of-RSA.patch
+Patch0003:          0003-IPV6-regex-redirect_uri.patch

 BuildArch:          noarch

@ -43,9 +44,7 @@ library, write a thin veneer on top of OAuthLib and get OAuth support for
 very little effort.

 %prep
-%setup -q -n %{modname}-%{version}
-%patch0001 -p1
-%patch0002 -p1
+%autosetup -n %{modname}-%{version} -p1

 # python-unittest2 is now provided by "python" package and python-unittest is retired
 #  adapt setup.py to reflect this fact downstream
@ -77,6 +76,9 @@ rm jwt.py
 %{python3_sitelib}/%{modname}-%{version}-*

 %changelog
+* Mon Oct 24 2022 TomasHalman <thalman@redhat.com> - 3.1.1-4
+- Resolves: rhbz#2133805 - fix for CVE-2022-36087
+
 * Tue Aug 9 2022 TomasHalman <thalman@redhat.com> - 3.1.1-3
 - Remove RSA support
 - Remove build dependency on blinker