Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upAfter the python3 fix for CVE-2019-9740 test_null_bytes fails #1781
Comments
This comment has been minimized.
This comment has been minimized.
|
Just tried on latest Cheroot and CherryPy, as well as the versions you have specified and I'm not seeing the same effect. That test passed on my machine. What version of urllib are you running? |
This comment has been minimized.
This comment has been minimized.
|
From the already attached build log:
|
This comment has been minimized.
This comment has been minimized.
|
This is not because of the urllib or urllib3. CPython upstream has patched The test tries to inject a know malicious sequence into the Request-Line of a test HTTP request and expects the server to reply with an error. There's a similar test in Cheroot as well (https://github.com/cherrypy/cheroot/blob/7558014/cheroot/test/test_core.py#L137-L164). But with the latest CPython it fails to create such a request because they forbid it now. |
This comment has been minimized.
This comment has been minimized.
|
OTOH, this test (submitted by @diogobaeder) is probably incorrect and the server should produce |
This comment has been minimized.
This comment has been minimized.
|
Hi guys, @webknjaz I'm curious, what test did I submitted that was incorrect? I couldn't find that in git blame from the test above... Thanks! |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Ah, got it... thanks! Yeah, indeed, thinking again Cheers, |
This comment has been minimized.
This comment has been minimized.
|
FTR here's an instance of this error in the CI: https://travis-ci.org/cherrypy/cherrypy/jobs/549122435#L558 |
This comment has been minimized.
This comment has been minimized.
|
I opened cherrypy/cheroot#208 to address this on the HTTP level. |
This comment has been minimized.
This comment has been minimized.
|
Until this issue can be resolved properly, it's breaking CI for unrelated pull requests. Therefore, I'm going to mark |
This comment has been minimized.
This comment has been minimized.
|
This issue also affects mac builds like this one. |
This comment has been minimized.
This comment has been minimized.
|
There is an upstream issue36274 tracking this use-case. |
This comment has been minimized.
This comment has been minimized.
tipabu
commented
Sep 13, 2019
|
Well, a similar one, anyway I'd love to see an upstream patch that accommodates both use-cases, though! |
Fixes cherrypy#1781 Recent versions of CPython have gotten more picky about the sorts of paths callers can pass to http.client's putrequest. Since we don't have any control over what clients might send, though, keep coverage of the invalid-request behavior by just opening up a socket and sending some bytes. See also: https://bugs.python.org/issue38216
This comment has been minimized.
This comment has been minimized.
|
In addition to the patch proposed by tipabu, I believe we may be able to work around this issue by re-writing the regex that intercepts these null bytes. |
mcepl commentedMay 31, 2019
I'm submitting a ...
Do you want to request a feature or report a bug?
bug
What is the current behavior?
When running the testsuite StaticTest.test_null_bytes fails with:
Throwing an exception here is actually completely correct behavior after fixing python/cpython#13044 (CVE-2019-9740).
If the current behavior is a bug, please provide the steps to reproduce and if possible a screenshots and logs of the problem. If you can, show us your code.
Full build log
What is the expected behavior?
Whole test suite should pass.
What is the motivation / use case for changing the behavior?
Packaging python-CherryPy for openSUSE.
Please tell us about your environment:
Linux/openSUSE/Tumbleweed
Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, e.g. stackoverflow, gitter, etc.)