Security fix for CVE-2015-5607
This commit is contained in:
parent
996fbfafe3
commit
ec2c119944
@ -1,10 +1,10 @@
|
||||
# $OpenBSD: Makefile,v 1.33 2015/06/25 10:51:31 jasper Exp $
|
||||
# $OpenBSD: Makefile,v 1.34 2015/07/23 12:46:01 jasper Exp $
|
||||
|
||||
COMMENT= enhanced interactive Python shell
|
||||
|
||||
MODPY_EGG_VERSION = 2.3.1
|
||||
DISTNAME= ipython-${MODPY_EGG_VERSION}
|
||||
REVISION= 0
|
||||
REVISION= 1
|
||||
CATEGORIES= devel
|
||||
|
||||
HOMEPAGE= http://ipython.org/
|
||||
|
@ -1,11 +1,76 @@
|
||||
$OpenBSD: patch-IPython_html_base_handlers_py,v 1.1 2015/06/25 10:51:31 jasper Exp $
|
||||
$OpenBSD: patch-IPython_html_base_handlers_py,v 1.2 2015/07/23 12:46:01 jasper Exp $
|
||||
|
||||
Security fix for CVE-2015-4707
|
||||
https://github.com/ipython/ipython/commit/c2078a53543ed502efd968649fee1125e0eb549c
|
||||
|
||||
--- IPython/html/base/handlers.py.orig Wed Jun 24 16:41:55 2015
|
||||
+++ IPython/html/base/handlers.py Wed Jun 24 16:42:45 2015
|
||||
@@ -339,6 +339,7 @@ def json_errors(method):
|
||||
Security fix for CVE-2015-5607
|
||||
https://github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0
|
||||
|
||||
--- IPython/html/base/handlers.py.orig Thu Jul 23 14:39:34 2015
|
||||
+++ IPython/html/base/handlers.py Thu Jul 23 14:39:25 2015
|
||||
@@ -29,6 +29,10 @@ try:
|
||||
from http.client import responses
|
||||
except ImportError:
|
||||
from httplib import responses
|
||||
+try:
|
||||
+ from urllib.parse import urlparse # Py 3
|
||||
+except ImportError:
|
||||
+ from urlparse import urlparse # Py 2
|
||||
|
||||
from jinja2 import TemplateNotFound
|
||||
from tornado import web
|
||||
@@ -208,6 +212,50 @@ class IPythonHandler(AuthenticatedHandler):
|
||||
origin = self.request.headers.get("Sec-Websocket-Origin", None)
|
||||
return origin
|
||||
|
||||
+ def check_origin_api(self):
|
||||
+ """Check Origin for cross-site API requests.
|
||||
+
|
||||
+ Copied from WebSocket with changes:
|
||||
+
|
||||
+ - allow unspecified host/origin (e.g. scripts)
|
||||
+ """
|
||||
+ if self.allow_origin == '*':
|
||||
+ return True
|
||||
+
|
||||
+ host = self.request.headers.get("Host")
|
||||
+ origin = self.request.headers.get("Origin")
|
||||
+
|
||||
+ # If no header is provided, assume it comes from a script/curl.
|
||||
+ # We are only concerned with cross-site browser stuff here.
|
||||
+ if origin is None or host is None:
|
||||
+ return True
|
||||
+
|
||||
+ origin = origin.lower()
|
||||
+ origin_host = urlparse(origin).netloc
|
||||
+
|
||||
+ # OK if origin matches host
|
||||
+ if origin_host == host:
|
||||
+ return True
|
||||
+
|
||||
+ # Check CORS headers
|
||||
+ if self.allow_origin:
|
||||
+ allow = self.allow_origin == origin
|
||||
+ elif self.allow_origin_pat:
|
||||
+ allow = bool(self.allow_origin_pat.match(origin))
|
||||
+ else:
|
||||
+ # No CORS headers deny the request
|
||||
+ allow = False
|
||||
+ if not allow:
|
||||
+ self.log.warn("Blocking Cross Origin API request. Origin: %s, Host: %s",
|
||||
+ origin, host,
|
||||
+ )
|
||||
+ return allow
|
||||
+
|
||||
+ def prepare(self):
|
||||
+ if not self.check_origin_api():
|
||||
+ raise web.HTTPError(404)
|
||||
+ return super(IPythonHandler, self).prepare()
|
||||
+
|
||||
#---------------------------------------------------------------
|
||||
# template rendering
|
||||
#---------------------------------------------------------------
|
||||
@@ -339,6 +387,7 @@ def json_errors(method):
|
||||
message = e.log_message
|
||||
self.log.warn(message)
|
||||
self.set_status(e.status_code)
|
||||
@ -13,7 +78,7 @@ https://github.com/ipython/ipython/commit/c2078a53543ed502efd968649fee1125e0eb54
|
||||
self.finish(json.dumps(dict(message=message)))
|
||||
except Exception:
|
||||
self.log.error("Unhandled error in API request", exc_info=True)
|
||||
@@ -348,6 +349,7 @@ def json_errors(method):
|
||||
@@ -348,6 +397,7 @@ def json_errors(method):
|
||||
self.set_status(status)
|
||||
tb_text = ''.join(traceback.format_exception(t, value, tb))
|
||||
reply = dict(message=message, traceback=tb_text)
|
||||
|
Loading…
Reference in New Issue
Block a user