Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: David Seifert <soap@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-python/pysaml2/files/
Date: Tue, 23 Apr 2019 09:55:37
Message-Id: 1556013263.2fd4c9dcd2f329f676a0621fe164d56de31ea1c8.soap@gentoo
1 commit: 2fd4c9dcd2f329f676a0621fe164d56de31ea1c8
2 Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
3 AuthorDate: Mon Apr 22 07:44:00 2019 +0000
4 Commit: David Seifert <soap <AT> gentoo <DOT> org>
5 CommitDate: Tue Apr 23 09:54:23 2019 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2fd4c9dc
7
8 dev-python/pysaml2: remove unused patch(es)
9
10 Closes: https://github.com/gentoo/gentoo/pull/11774
11 Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com>
12 Signed-off-by: David Seifert <soap <AT> gentoo.org>
13
14 .../files/pysaml-4.0.2_CVE-2017-1000433.patch | 33 ---
15 dev-python/pysaml2/files/xxe-4.0.2.patch | 305 ---------------------
16 2 files changed, 338 deletions(-)
17
18 diff --git a/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch b/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch
19 deleted file mode 100644
20 index 7abc765c298..00000000000
21 --- a/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch
22 +++ /dev/null
23 @@ -1,33 +0,0 @@
24 -From 6312a41e037954850867f29d329e5007df1424a5 Mon Sep 17 00:00:00 2001
25 -From: Ioannis Kakavas <ikakavas@×××××××××.gr>
26 -Date: Tue, 12 Sep 2017 12:22:47 +0300
27 -Subject: [PATCH] Quick fix for the authentication bypass due to optimizations
28 - #451
29 -
30 ----
31 - src/saml2/authn.py | 5 +++--
32 - 1 file changed, 3 insertions(+), 2 deletions(-)
33 -
34 -diff --git a/src/saml2/authn.py b/src/saml2/authn.py
35 -index 1f2d02cf..1e1a220b 100644
36 ---- a/src/saml2/authn.py
37 -+++ b/src/saml2/authn.py
38 -@@ -146,7 +146,8 @@ def __call__(self, cookie=None, policy_url=None, logo_url=None,
39 - return resp
40 -
41 - def _verify(self, pwd, user):
42 -- assert is_equal(pwd, self.passwd[user])
43 -+ if not is_equal(pwd, self.passwd[user]):
44 -+ raise ValueError("Wrong password")
45 -
46 - def verify(self, request, **kwargs):
47 - """
48 -@@ -176,7 +177,7 @@ def verify(self, request, **kwargs):
49 - return_to = create_return_url(self.return_to, _dict["query"][0],
50 - **{self.query_param: "true"})
51 - resp = Redirect(return_to, headers=[cookie])
52 -- except (AssertionError, KeyError):
53 -+ except (ValueError, KeyError):
54 - resp = Unauthorized("Unknown user or wrong password")
55 -
56 - return resp
57
58 diff --git a/dev-python/pysaml2/files/xxe-4.0.2.patch b/dev-python/pysaml2/files/xxe-4.0.2.patch
59 deleted file mode 100644
60 index 8e1a2ef53cc..00000000000
61 --- a/dev-python/pysaml2/files/xxe-4.0.2.patch
62 +++ /dev/null
63 @@ -1,305 +0,0 @@
64 -diff -Naur pysaml2/setup.py pysaml2.new/setup.py
65 ---- pysaml2/setup.py 2015-12-06 00:46:33.000000000 -0600
66 -+++ pysaml2.new/setup.py 2017-01-10 20:31:43.387413477 -0600
67 -@@ -17,6 +17,7 @@
68 - 'pytz',
69 - 'pyOpenSSL',
70 - 'python-dateutil',
71 -+ 'defusedxml',
72 - 'six'
73 - ]
74 -
75 -diff -Naur pysaml2/src/saml2/__init__.py pysaml2.new/src/saml2/__init__.py
76 ---- pysaml2/src/saml2/__init__.py 2016-01-07 05:53:57.000000000 -0600
77 -+++ pysaml2.new/src/saml2/__init__.py 2017-01-10 20:34:04.171641116 -0600
78 -@@ -35,6 +35,7 @@
79 - import cElementTree as ElementTree
80 - except ImportError:
81 - from elementtree import ElementTree
82 -+import defusedxml.ElementTree
83 -
84 - root_logger = logging.getLogger(__name__)
85 - root_logger.level = logging.NOTSET
86 -@@ -86,7 +87,7 @@
87 - """
88 - if not isinstance(xml_string, six.binary_type):
89 - xml_string = xml_string.encode('utf-8')
90 -- tree = ElementTree.fromstring(xml_string)
91 -+ tree = defusedxml.ElementTree.fromstring(xml_string)
92 - return create_class_from_element_tree(target_class, tree)
93 -
94 -
95 -@@ -268,7 +269,7 @@
96 -
97 -
98 - def extension_element_from_string(xml_string):
99 -- element_tree = ElementTree.fromstring(xml_string)
100 -+ element_tree = defusedxml.ElementTree.fromstring(xml_string)
101 - return _extension_element_from_element_tree(element_tree)
102 -
103 -
104 -diff -Naur pysaml2/src/saml2/pack.py pysaml2.new/src/saml2/pack.py
105 ---- pysaml2/src/saml2/pack.py 2015-12-11 07:31:39.000000000 -0600
106 -+++ pysaml2.new/src/saml2/pack.py 2017-01-10 20:35:35.382435020 -0600
107 -@@ -37,6 +37,7 @@
108 - import cElementTree as ElementTree
109 - except ImportError:
110 - from elementtree import ElementTree
111 -+import defusedxml.ElementTree
112 -
113 - NAMESPACE = "http://schemas.xmlsoap.org/soap/envelope/"
114 - FORM_SPEC = """<form method="post" action="%s">
115 -@@ -235,7 +236,7 @@
116 - :param text: The SOAP object as XML
117 - :return: header parts and body as saml.samlbase instances
118 - """
119 -- envelope = ElementTree.fromstring(text)
120 -+ envelope = defusedxml.ElementTree.fromstring(text)
121 - assert envelope.tag == '{%s}Envelope' % NAMESPACE
122 -
123 - # print(len(envelope))
124 -diff -Naur pysaml2/src/saml2/soap.py pysaml2.new/src/saml2/soap.py
125 ---- pysaml2/src/saml2/soap.py 2015-05-18 02:54:05.000000000 -0500
126 -+++ pysaml2.new/src/saml2/soap.py 2017-01-10 20:36:16.163808770 -0600
127 -@@ -19,6 +19,7 @@
128 - except ImportError:
129 - #noinspection PyUnresolvedReferences
130 - from elementtree import ElementTree
131 -+import defusedxml.ElementTree
132 -
133 -
134 - logger = logging.getLogger(__name__)
135 -@@ -133,7 +134,7 @@
136 - :param expected_tags: What the tag of the SAML thingy is expected to be.
137 - :return: SAML thingy as a string
138 - """
139 -- envelope = ElementTree.fromstring(text)
140 -+ envelope = defusedxml.ElementTree.fromstring(text)
141 -
142 - # Make sure it's a SOAP message
143 - assert envelope.tag == '{%s}Envelope' % soapenv.NAMESPACE
144 -@@ -183,7 +184,7 @@
145 - :return: The body and headers as class instances
146 - """
147 - try:
148 -- envelope = ElementTree.fromstring(text)
149 -+ envelope = defusedxml.ElementTree.fromstring(text)
150 - except Exception as exc:
151 - raise XmlParseError("%s" % exc)
152 -
153 -@@ -209,7 +210,7 @@
154 - :return: dictionary with two keys "body"/"header"
155 - """
156 - try:
157 -- envelope = ElementTree.fromstring(text)
158 -+ envelope = defusedxml.ElementTree.fromstring(text)
159 - except Exception as exc:
160 - raise XmlParseError("%s" % exc)
161 -
162 -diff -Naur pysaml2/tests/test_03_saml2.py pysaml2.new/tests/test_03_saml2.py
163 ---- pysaml2/tests/test_03_saml2.py 2015-06-06 02:15:20.000000000 -0500
164 -+++ pysaml2.new/tests/test_03_saml2.py 2017-01-10 20:38:32.541728380 -0600
165 -@@ -17,6 +17,7 @@
166 - import cElementTree as ElementTree
167 - except ImportError:
168 - from elementtree import ElementTree
169 -+from defusedxml.common import EntitiesForbidden
170 -
171 - ITEMS = {
172 - NameID: ["""<?xml version="1.0" encoding="utf-8"?>
173 -@@ -27,7 +28,7 @@
174 - </NameID>
175 - """, """<?xml version="1.0" encoding="utf-8"?>
176 - <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
177 -- SPNameQualifier="https://foo.example.com/sp"
178 -+ SPNameQualifier="https://foo.example.com/sp"
179 - Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_1632879f09d08ea5ede2dc667cbed7e429ebc4335c</NameID>
180 - """, """<?xml version="1.0" encoding="utf-8"?>
181 - <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
182 -@@ -47,9 +48,9 @@
183 - SubjectConfirmationData:
184 - """<?xml version="1.0" encoding="utf-8"?>
185 - <SubjectConfirmationData xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
186 --InResponseTo="_1683146e27983964fbe7bf8f08961108d166a652e5"
187 --NotOnOrAfter="2010-02-18T13:52:13.959Z"
188 --NotBefore="2010-01-16T12:00:00Z"
189 -+InResponseTo="_1683146e27983964fbe7bf8f08961108d166a652e5"
190 -+NotOnOrAfter="2010-02-18T13:52:13.959Z"
191 -+NotBefore="2010-01-16T12:00:00Z"
192 - Recipient="http://192.168.0.10/saml/sp" />""",
193 - SubjectConfirmation:
194 - """<?xml version="1.0" encoding="utf-8"?>
195 -@@ -166,6 +167,19 @@
196 - assert kl == None
197 -
198 -
199 -+def test_create_class_from_xml_string_xxe():
200 -+ xml = """<?xml version="1.0"?>
201 -+ <!DOCTYPE lolz [
202 -+ <!ENTITY lol "lol">
203 -+ <!ELEMENT lolz (#PCDATA)>
204 -+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
205 -+ ]>
206 -+ <lolz>&lol1;</lolz>
207 -+ """
208 -+ with raises(EntitiesForbidden) as err:
209 -+ create_class_from_xml_string(NameID, xml)
210 -+
211 -+
212 - def test_ee_1():
213 - ee = saml2.extension_element_from_string(
214 - """<?xml version='1.0' encoding='UTF-8'?><foo>bar</foo>""")
215 -@@ -193,7 +207,7 @@
216 - def test_ee_3():
217 - ee = saml2.extension_element_from_string(
218 - """<?xml version='1.0' encoding='UTF-8'?>
219 -- <foo xmlns="urn:mace:example.com:saml:ns"
220 -+ <foo xmlns="urn:mace:example.com:saml:ns"
221 - id="xyz">bar</foo>""")
222 - assert ee != None
223 - print(ee.__dict__)
224 -@@ -454,6 +468,19 @@
225 - assert nid.text.strip() == "http://federationX.org"
226 -
227 -
228 -+def test_ee_xxe():
229 -+ xml = """<?xml version="1.0"?>
230 -+ <!DOCTYPE lolz [
231 -+ <!ENTITY lol "lol">
232 -+ <!ELEMENT lolz (#PCDATA)>
233 -+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
234 -+ ]>
235 -+ <lolz>&lol1;</lolz>
236 -+ """
237 -+ with raises(EntitiesForbidden):
238 -+ saml2.extension_element_from_string(xml)
239 -+
240 -+
241 - def test_extension_element_loadd():
242 - ava = {'attributes': {},
243 - 'tag': 'ExternalEntityAttributeAuthority',
244 -diff -Naur pysaml2/tests/test_43_soap.py pysaml2.new/tests/test_43_soap.py
245 ---- pysaml2/tests/test_43_soap.py 2013-04-28 09:38:07.000000000 -0500
246 -+++ pysaml2.new/tests/test_43_soap.py 2017-01-10 20:39:53.730364008 -0600
247 -@@ -12,16 +12,20 @@
248 - import cElementTree as ElementTree
249 - except ImportError:
250 - from elementtree import ElementTree
251 -+from defusedxml.common import EntitiesForbidden
252 -+
253 -+from pytest import raises
254 -
255 - import saml2.samlp as samlp
256 - from saml2.samlp import NAMESPACE as SAMLP_NAMESPACE
257 -+from saml2 import soap
258 -
259 - NAMESPACE = "http://schemas.xmlsoap.org/soap/envelope/"
260 -
261 - example = """<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/">
262 - <Body>
263 -- <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
264 -- xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
265 -+ <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
266 -+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
267 - ID="_6c3a4f8b9c2d" Version="2.0" IssueInstant="2004-03-27T08:42:00Z">
268 - <saml:Issuer>https://www.example.com/SAML</saml:Issuer>
269 - <Status>
270 -@@ -55,7 +59,7 @@
271 - envelope.tag = '{%s}Envelope' % NAMESPACE
272 - body = ElementTree.Element('')
273 - body.tag = '{%s}Body' % NAMESPACE
274 -- envelope.append(body)
275 -+ envelope.append(body)
276 - request = samlp.AuthnRequest()
277 - request.become_child_element_of(body)
278 -
279 -@@ -66,3 +70,42 @@
280 - assert len(body) == 1
281 - saml_part = body[0]
282 - assert saml_part.tag == '{%s}AuthnRequest' % SAMLP_NAMESPACE
283 -+
284 -+
285 -+def test_parse_soap_enveloped_saml_thingy_xxe():
286 -+ xml = """<?xml version="1.0"?>
287 -+ <!DOCTYPE lolz [
288 -+ <!ENTITY lol "lol">
289 -+ <!ELEMENT lolz (#PCDATA)>
290 -+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
291 -+ ]>
292 -+ <lolz>&lol1;</lolz>
293 -+ """
294 -+ with raises(EntitiesForbidden):
295 -+ soap.parse_soap_enveloped_saml_thingy(xml, None)
296 -+
297 -+
298 -+def test_class_instances_from_soap_enveloped_saml_thingies_xxe():
299 -+ xml = """<?xml version="1.0"?>
300 -+ <!DOCTYPE lolz [
301 -+ <!ENTITY lol "lol">
302 -+ <!ELEMENT lolz (#PCDATA)>
303 -+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
304 -+ ]>
305 -+ <lolz>&lol1;</lolz>
306 -+ """
307 -+ with raises(soap.XmlParseError):
308 -+ soap.class_instances_from_soap_enveloped_saml_thingies(xml, None)
309 -+
310 -+
311 -+def test_open_soap_envelope_xxe():
312 -+ xml = """<?xml version="1.0"?>
313 -+ <!DOCTYPE lolz [
314 -+ <!ENTITY lol "lol">
315 -+ <!ELEMENT lolz (#PCDATA)>
316 -+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
317 -+ ]>
318 -+ <lolz>&lol1;</lolz>
319 -+ """
320 -+ with raises(soap.XmlParseError):
321 -+ soap.open_soap_envelope(xml)
322 -diff -Naur pysaml2/tests/test_51_client.py pysaml2.new/tests/test_51_client.py
323 ---- pysaml2/tests/test_51_client.py 2015-12-11 05:10:01.000000000 -0600
324 -+++ pysaml2.new/tests/test_51_client.py 2017-01-10 20:42:12.819280442 -0600
325 -@@ -5,6 +5,7 @@
326 - import uuid
327 - import six
328 - from six.moves.urllib.parse import parse_qs, urlencode, urlparse
329 -+from pytest import raises
330 - from saml2.cert import OpenSSLWrapper
331 - from saml2.xmldsig import SIG_RSA_SHA256
332 - from saml2 import BINDING_HTTP_POST
333 -@@ -21,6 +22,7 @@
334 - from saml2.authn_context import INTERNETPROTOCOLPASSWORD
335 - from saml2.client import Saml2Client
336 - from saml2.config import SPConfig
337 -+from saml2.pack import parse_soap_enveloped_saml
338 - from saml2.response import LogoutResponse
339 - from saml2.saml import NAMEID_FORMAT_PERSISTENT, EncryptedAssertion, Advice
340 - from saml2.saml import NAMEID_FORMAT_TRANSIENT
341 -@@ -34,6 +36,8 @@
342 - from saml2.s_utils import factory
343 - from saml2.time_util import in_a_while, a_while_ago
344 -
345 -+from defusedxml.common import EntitiesForbidden
346 -+
347 - from fakeIDP import FakeIDP
348 - from fakeIDP import unpack_form
349 - from pathutils import full_path
350 -@@ -1445,6 +1449,18 @@
351 - 'http://www.example.com/login'
352 - assert ac.authn_context_class_ref.text == INTERNETPROTOCOLPASSWORD
353 -
354 -+def test_parse_soap_enveloped_saml_xxe():
355 -+ xml = """<?xml version="1.0"?>
356 -+ <!DOCTYPE lolz [
357 -+ <!ENTITY lol "lol">
358 -+ <!ELEMENT lolz (#PCDATA)>
359 -+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
360 -+ ]>
361 -+ <lolz>&lol1;</lolz>
362 -+ """
363 -+ with raises(EntitiesForbidden):
364 -+ parse_soap_enveloped_saml(xml, None)
365 -+
366 -
367 - # if __name__ == "__main__":
368 - # tc = TestClient()
Report Message
Find on MARC Find on Google Groups