gnu: http-parser: Update to 2.9.4-1.ec8b5ee [fixes CVE-2020-8287].
Fixes CVE-2020-8287. * gnu/packages/web.scm (http-parser): Update to 2.9.4-1.ec8b5ee. [source]: Add patch to mitigate CVE. * gnu/packages/patches/patches/http-parser-CVE-2020-8287.patch: New file. * gnu/local.mk [dist_patch_DATA]: New patch.master
parent
5701e85107
commit
66fa2d318a
|
@ -1164,6 +1164,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/hdf-eos5-remove-gctp.patch \
|
||||
%D%/packages/patches/hdf-eos5-fix-szip.patch \
|
||||
%D%/packages/patches/hdf-eos5-fortrantests.patch \
|
||||
%D%/packages/patches/http-parser-CVE-2020-8287.patch \
|
||||
%D%/packages/patches/http-parser-fix-assertion-on-armhf.patch \
|
||||
%D%/packages/patches/hubbub-sort-entities.patch \
|
||||
%D%/packages/patches/hurd-cross.patch \
|
||||
|
|
|
@ -0,0 +1,75 @@
|
|||
From fc70ce08f5818a286fb5899a1bc3aff5965a745e Mon Sep 17 00:00:00 2001
|
||||
From: Fedor Indutny <fedor@indutny.com>
|
||||
Date: Wed, 18 Nov 2020 20:50:21 -0800
|
||||
Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding`
|
||||
|
||||
Duplicate `Transfer-Encoding` header should be a treated as a single,
|
||||
but with original header values concatenated with a comma separator. In
|
||||
the light of this, even if the past `Transfer-Encoding` ended with
|
||||
`chunked`, we should be not let the `F_CHUNKED` to leak into the next
|
||||
header, because mere presence of another header indicates that `chunked`
|
||||
is not the last transfer-encoding token.
|
||||
|
||||
CVE-ID: CVE-2020-8287
|
||||
PR-URL: https://github.com/nodejs-private/node-private/pull/235
|
||||
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
|
||||
---
|
||||
http_parser.c | 7 +++++++
|
||||
test.c | 26 ++++++++++++++++++++++++++
|
||||
2 files changed, 33 insertions(+)
|
||||
|
||||
diff --git a/http_parser.c b/http_parser.c
|
||||
index 9be003e7322..e9b2b9e83b9 100644
|
||||
--- a/http_parser.c
|
||||
+++ b/http_parser.c
|
||||
@@ -1344,6 +1344,13 @@ size_t http_parser_execute (http_parser *parser,
|
||||
} else if (parser->index == sizeof(TRANSFER_ENCODING)-2) {
|
||||
parser->header_state = h_transfer_encoding;
|
||||
parser->uses_transfer_encoding = 1;
|
||||
+
|
||||
+ /* Multiple `Transfer-Encoding` headers should be treated as
|
||||
+ * one, but with values separate by a comma.
|
||||
+ *
|
||||
+ * See: https://tools.ietf.org/html/rfc7230#section-3.2.2
|
||||
+ */
|
||||
+ parser->flags &= ~F_CHUNKED;
|
||||
}
|
||||
break;
|
||||
|
||||
diff --git a/test.c b/test.c
|
||||
index 3f7c77b3494..2e5a9ebd678 100644
|
||||
--- a/test.c
|
||||
+++ b/test.c
|
||||
@@ -2154,6 +2154,32 @@ const struct message responses[] =
|
||||
,.body= "2\r\nOK\r\n0\r\n\r\n"
|
||||
,.num_chunks_complete= 0
|
||||
}
|
||||
+#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30
|
||||
+, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding"
|
||||
+ ,.type= HTTP_RESPONSE
|
||||
+ ,.raw= "HTTP/1.1 200 OK\r\n"
|
||||
+ "Transfer-Encoding: chunked\r\n"
|
||||
+ "Transfer-Encoding: identity\r\n"
|
||||
+ "\r\n"
|
||||
+ "2\r\n"
|
||||
+ "OK\r\n"
|
||||
+ "0\r\n"
|
||||
+ "\r\n"
|
||||
+ ,.should_keep_alive= FALSE
|
||||
+ ,.message_complete_on_eof= TRUE
|
||||
+ ,.http_major= 1
|
||||
+ ,.http_minor= 1
|
||||
+ ,.status_code= 200
|
||||
+ ,.response_status= "OK"
|
||||
+ ,.content_length= -1
|
||||
+ ,.num_headers= 2
|
||||
+ ,.headers=
|
||||
+ { { "Transfer-Encoding", "chunked" }
|
||||
+ , { "Transfer-Encoding", "identity" }
|
||||
+ }
|
||||
+ ,.body= "2\r\nOK\r\n0\r\n\r\n"
|
||||
+ ,.num_chunks_complete= 0
|
||||
+ }
|
||||
};
|
||||
|
||||
/* strnlen() is a POSIX.2008 addition. Can't rely on it being available so
|
|
@ -6162,78 +6162,82 @@ into your tests. It automatically starts up a HTTP server in a separate thread
|
|||
(license license:expat)))
|
||||
|
||||
(define-public http-parser
|
||||
(package
|
||||
(name "http-parser")
|
||||
(version "2.9.4")
|
||||
(home-page "https://github.com/nodejs/http-parser")
|
||||
(source
|
||||
(origin
|
||||
(method git-fetch)
|
||||
(uri (git-reference (url home-page)
|
||||
(commit (string-append "v" version))))
|
||||
(sha256
|
||||
(base32 "1vda4dp75pjf5fcph73sy0ifm3xrssrmf927qd1x8g3q46z0cv6c"))
|
||||
(file-name (git-file-name name version))
|
||||
(patches
|
||||
(list
|
||||
(origin
|
||||
;; Treat an empty port (e.g. `http://hostname:/`) when parsing
|
||||
;; URLs as if no port were specified. This patch is applied
|
||||
;; to Fedora's http-parser and to libgit2's bundled version.
|
||||
(method url-fetch)
|
||||
(uri (string-append
|
||||
"https://src.fedoraproject.org/rpms/http-parser/raw/"
|
||||
"e89b4c4e2874c19079a5a1a2d2ccc61b551aa289/"
|
||||
"f/0001-url-treat-empty-port-as-default.patch"))
|
||||
(sha256
|
||||
(base32
|
||||
"0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g")))))))
|
||||
(build-system gnu-build-system)
|
||||
(arguments
|
||||
`(#:test-target "test"
|
||||
#:make-flags
|
||||
(list (string-append "PREFIX="
|
||||
(assoc-ref %outputs "out"))
|
||||
"library"
|
||||
,@(if (%current-target-system)
|
||||
'()
|
||||
'("CC=gcc")))
|
||||
#:phases
|
||||
(modify-phases %standard-phases
|
||||
,@(match (%current-system)
|
||||
(let ((commit "ec8b5ee63f0e51191ea43bb0c6eac7bfbff3141d")
|
||||
(revision "1"))
|
||||
(package
|
||||
(name "http-parser")
|
||||
(version (git-version "2.9.4" revision commit))
|
||||
(home-page "https://github.com/nodejs/http-parser")
|
||||
(source
|
||||
(origin
|
||||
(method git-fetch)
|
||||
(uri (git-reference (url home-page)
|
||||
(commit commit)))
|
||||
(sha256
|
||||
(base32 "0f297hrbx0kvy3qwgm9rhmbnjww6iljlcz9grsc9d4km1qj1071i"))
|
||||
(file-name (git-file-name name version))
|
||||
(patches
|
||||
(append
|
||||
(search-patches "http-parser-CVE-2020-8287.patch")
|
||||
(list
|
||||
(origin
|
||||
;; Treat an empty port (e.g. `http://hostname:/`) when parsing
|
||||
;; URLs as if no port were specified. This patch is applied
|
||||
;; to Fedora's http-parser and to libgit2's bundled version.
|
||||
(method url-fetch)
|
||||
(uri (string-append
|
||||
"https://src.fedoraproject.org/rpms/http-parser/raw/"
|
||||
"e89b4c4e2874c19079a5a1a2d2ccc61b551aa289/"
|
||||
"f/0001-url-treat-empty-port-as-default.patch"))
|
||||
(sha256
|
||||
(base32
|
||||
"0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g"))))))))
|
||||
(build-system gnu-build-system)
|
||||
(arguments
|
||||
`(#:test-target "test"
|
||||
#:make-flags
|
||||
(list (string-append "PREFIX="
|
||||
(assoc-ref %outputs "out"))
|
||||
"library"
|
||||
,@(if (%current-target-system)
|
||||
'()
|
||||
'("CC=gcc")))
|
||||
#:phases
|
||||
(modify-phases %standard-phases
|
||||
,@(match (%current-system)
|
||||
("armhf-linux"
|
||||
'((add-before 'check 'apply-assertion.patch
|
||||
(lambda* (#:key inputs #:allow-other-keys)
|
||||
(let ((patch (assoc-ref inputs "assertion.patch")))
|
||||
(invoke "patch" "-p1" "-i" patch)
|
||||
#t)))))
|
||||
(_ '()))
|
||||
,@(if (%current-target-system)
|
||||
'((replace 'configure
|
||||
(lambda* (#:key target #:allow-other-keys)
|
||||
(substitute* (find-files "." "Makefile")
|
||||
(("CC\\?=.*$")
|
||||
(string-append "CC=" target "-gcc\n"))
|
||||
(("AR\\?=.*$")
|
||||
(string-append "AR=" target "-ar\n")))
|
||||
#t)))
|
||||
'((delete 'configure))))))
|
||||
(native-inputs
|
||||
`(,@(match (%current-system)
|
||||
("armhf-linux"
|
||||
'((add-before 'check 'apply-assertion.patch
|
||||
(lambda* (#:key inputs #:allow-other-keys)
|
||||
(let ((patch (assoc-ref inputs "assertion.patch")))
|
||||
(invoke "patch" "-p1" "-i" patch)
|
||||
#t)))))
|
||||
(_ '()))
|
||||
,@(if (%current-target-system)
|
||||
'((replace 'configure
|
||||
(lambda* (#:key target #:allow-other-keys)
|
||||
(substitute* (find-files "." "Makefile")
|
||||
(("CC\\?=.*$")
|
||||
(string-append "CC=" target "-gcc\n"))
|
||||
(("AR\\?=.*$")
|
||||
(string-append "AR=" target "-ar\n")))
|
||||
#t)))
|
||||
'((delete 'configure))))))
|
||||
(native-inputs
|
||||
`(,@(match (%current-system)
|
||||
("armhf-linux"
|
||||
;; A fix for <https://issues.guix.gnu.org/40604> which in turn
|
||||
;; breaks i686-linux builds.
|
||||
`(("assertion.patch"
|
||||
,@(search-patches "http-parser-fix-assertion-on-armhf.patch"))))
|
||||
(_ '()))))
|
||||
(synopsis "HTTP request/response parser for C")
|
||||
(description "This is a parser for HTTP messages written in C. It parses
|
||||
;; A fix for <https://issues.guix.gnu.org/40604> which in turn
|
||||
;; breaks i686-linux builds.
|
||||
`(("assertion.patch"
|
||||
,@(search-patches "http-parser-fix-assertion-on-armhf.patch"))))
|
||||
(_ '()))))
|
||||
(synopsis "HTTP request/response parser for C")
|
||||
(description "This is a parser for HTTP messages written in C. It parses
|
||||
both requests and responses. The parser is designed to be used in
|
||||
high-performance HTTP applications. It does not make any syscalls nor
|
||||
allocations, it does not buffer data, it can be interrupted at anytime.
|
||||
Depending on your architecture, it only requires about 40 bytes of data per
|
||||
message stream (in a web server that is per connection).")
|
||||
(license license:expat)))
|
||||
(license license:expat))))
|
||||
|
||||
(define-public python-httpretty
|
||||
(package
|
||||
|
|
Reference in New Issue