1 |
commit: 2fd4c9dcd2f329f676a0621fe164d56de31ea1c8 |
2 |
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com> |
3 |
AuthorDate: Mon Apr 22 07:44:00 2019 +0000 |
4 |
Commit: David Seifert <soap <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Apr 23 09:54:23 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2fd4c9dc |
7 |
|
8 |
dev-python/pysaml2: remove unused patch(es) |
9 |
|
10 |
Closes: https://github.com/gentoo/gentoo/pull/11774 |
11 |
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com> |
12 |
Signed-off-by: David Seifert <soap <AT> gentoo.org> |
13 |
|
14 |
.../files/pysaml-4.0.2_CVE-2017-1000433.patch | 33 --- |
15 |
dev-python/pysaml2/files/xxe-4.0.2.patch | 305 --------------------- |
16 |
2 files changed, 338 deletions(-) |
17 |
|
18 |
diff --git a/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch b/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch |
19 |
deleted file mode 100644 |
20 |
index 7abc765c298..00000000000 |
21 |
--- a/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch |
22 |
+++ /dev/null |
23 |
@@ -1,33 +0,0 @@ |
24 |
-From 6312a41e037954850867f29d329e5007df1424a5 Mon Sep 17 00:00:00 2001 |
25 |
-From: Ioannis Kakavas <ikakavas@×××××××××.gr> |
26 |
-Date: Tue, 12 Sep 2017 12:22:47 +0300 |
27 |
-Subject: [PATCH] Quick fix for the authentication bypass due to optimizations |
28 |
- #451 |
29 |
- |
30 |
---- |
31 |
- src/saml2/authn.py | 5 +++-- |
32 |
- 1 file changed, 3 insertions(+), 2 deletions(-) |
33 |
- |
34 |
-diff --git a/src/saml2/authn.py b/src/saml2/authn.py |
35 |
-index 1f2d02cf..1e1a220b 100644 |
36 |
---- a/src/saml2/authn.py |
37 |
-+++ b/src/saml2/authn.py |
38 |
-@@ -146,7 +146,8 @@ def __call__(self, cookie=None, policy_url=None, logo_url=None, |
39 |
- return resp |
40 |
- |
41 |
- def _verify(self, pwd, user): |
42 |
-- assert is_equal(pwd, self.passwd[user]) |
43 |
-+ if not is_equal(pwd, self.passwd[user]): |
44 |
-+ raise ValueError("Wrong password") |
45 |
- |
46 |
- def verify(self, request, **kwargs): |
47 |
- """ |
48 |
-@@ -176,7 +177,7 @@ def verify(self, request, **kwargs): |
49 |
- return_to = create_return_url(self.return_to, _dict["query"][0], |
50 |
- **{self.query_param: "true"}) |
51 |
- resp = Redirect(return_to, headers=[cookie]) |
52 |
-- except (AssertionError, KeyError): |
53 |
-+ except (ValueError, KeyError): |
54 |
- resp = Unauthorized("Unknown user or wrong password") |
55 |
- |
56 |
- return resp |
57 |
|
58 |
diff --git a/dev-python/pysaml2/files/xxe-4.0.2.patch b/dev-python/pysaml2/files/xxe-4.0.2.patch |
59 |
deleted file mode 100644 |
60 |
index 8e1a2ef53cc..00000000000 |
61 |
--- a/dev-python/pysaml2/files/xxe-4.0.2.patch |
62 |
+++ /dev/null |
63 |
@@ -1,305 +0,0 @@ |
64 |
-diff -Naur pysaml2/setup.py pysaml2.new/setup.py |
65 |
---- pysaml2/setup.py 2015-12-06 00:46:33.000000000 -0600 |
66 |
-+++ pysaml2.new/setup.py 2017-01-10 20:31:43.387413477 -0600 |
67 |
-@@ -17,6 +17,7 @@ |
68 |
- 'pytz', |
69 |
- 'pyOpenSSL', |
70 |
- 'python-dateutil', |
71 |
-+ 'defusedxml', |
72 |
- 'six' |
73 |
- ] |
74 |
- |
75 |
-diff -Naur pysaml2/src/saml2/__init__.py pysaml2.new/src/saml2/__init__.py |
76 |
---- pysaml2/src/saml2/__init__.py 2016-01-07 05:53:57.000000000 -0600 |
77 |
-+++ pysaml2.new/src/saml2/__init__.py 2017-01-10 20:34:04.171641116 -0600 |
78 |
-@@ -35,6 +35,7 @@ |
79 |
- import cElementTree as ElementTree |
80 |
- except ImportError: |
81 |
- from elementtree import ElementTree |
82 |
-+import defusedxml.ElementTree |
83 |
- |
84 |
- root_logger = logging.getLogger(__name__) |
85 |
- root_logger.level = logging.NOTSET |
86 |
-@@ -86,7 +87,7 @@ |
87 |
- """ |
88 |
- if not isinstance(xml_string, six.binary_type): |
89 |
- xml_string = xml_string.encode('utf-8') |
90 |
-- tree = ElementTree.fromstring(xml_string) |
91 |
-+ tree = defusedxml.ElementTree.fromstring(xml_string) |
92 |
- return create_class_from_element_tree(target_class, tree) |
93 |
- |
94 |
- |
95 |
-@@ -268,7 +269,7 @@ |
96 |
- |
97 |
- |
98 |
- def extension_element_from_string(xml_string): |
99 |
-- element_tree = ElementTree.fromstring(xml_string) |
100 |
-+ element_tree = defusedxml.ElementTree.fromstring(xml_string) |
101 |
- return _extension_element_from_element_tree(element_tree) |
102 |
- |
103 |
- |
104 |
-diff -Naur pysaml2/src/saml2/pack.py pysaml2.new/src/saml2/pack.py |
105 |
---- pysaml2/src/saml2/pack.py 2015-12-11 07:31:39.000000000 -0600 |
106 |
-+++ pysaml2.new/src/saml2/pack.py 2017-01-10 20:35:35.382435020 -0600 |
107 |
-@@ -37,6 +37,7 @@ |
108 |
- import cElementTree as ElementTree |
109 |
- except ImportError: |
110 |
- from elementtree import ElementTree |
111 |
-+import defusedxml.ElementTree |
112 |
- |
113 |
- NAMESPACE = "http://schemas.xmlsoap.org/soap/envelope/" |
114 |
- FORM_SPEC = """<form method="post" action="%s"> |
115 |
-@@ -235,7 +236,7 @@ |
116 |
- :param text: The SOAP object as XML |
117 |
- :return: header parts and body as saml.samlbase instances |
118 |
- """ |
119 |
-- envelope = ElementTree.fromstring(text) |
120 |
-+ envelope = defusedxml.ElementTree.fromstring(text) |
121 |
- assert envelope.tag == '{%s}Envelope' % NAMESPACE |
122 |
- |
123 |
- # print(len(envelope)) |
124 |
-diff -Naur pysaml2/src/saml2/soap.py pysaml2.new/src/saml2/soap.py |
125 |
---- pysaml2/src/saml2/soap.py 2015-05-18 02:54:05.000000000 -0500 |
126 |
-+++ pysaml2.new/src/saml2/soap.py 2017-01-10 20:36:16.163808770 -0600 |
127 |
-@@ -19,6 +19,7 @@ |
128 |
- except ImportError: |
129 |
- #noinspection PyUnresolvedReferences |
130 |
- from elementtree import ElementTree |
131 |
-+import defusedxml.ElementTree |
132 |
- |
133 |
- |
134 |
- logger = logging.getLogger(__name__) |
135 |
-@@ -133,7 +134,7 @@ |
136 |
- :param expected_tags: What the tag of the SAML thingy is expected to be. |
137 |
- :return: SAML thingy as a string |
138 |
- """ |
139 |
-- envelope = ElementTree.fromstring(text) |
140 |
-+ envelope = defusedxml.ElementTree.fromstring(text) |
141 |
- |
142 |
- # Make sure it's a SOAP message |
143 |
- assert envelope.tag == '{%s}Envelope' % soapenv.NAMESPACE |
144 |
-@@ -183,7 +184,7 @@ |
145 |
- :return: The body and headers as class instances |
146 |
- """ |
147 |
- try: |
148 |
-- envelope = ElementTree.fromstring(text) |
149 |
-+ envelope = defusedxml.ElementTree.fromstring(text) |
150 |
- except Exception as exc: |
151 |
- raise XmlParseError("%s" % exc) |
152 |
- |
153 |
-@@ -209,7 +210,7 @@ |
154 |
- :return: dictionary with two keys "body"/"header" |
155 |
- """ |
156 |
- try: |
157 |
-- envelope = ElementTree.fromstring(text) |
158 |
-+ envelope = defusedxml.ElementTree.fromstring(text) |
159 |
- except Exception as exc: |
160 |
- raise XmlParseError("%s" % exc) |
161 |
- |
162 |
-diff -Naur pysaml2/tests/test_03_saml2.py pysaml2.new/tests/test_03_saml2.py |
163 |
---- pysaml2/tests/test_03_saml2.py 2015-06-06 02:15:20.000000000 -0500 |
164 |
-+++ pysaml2.new/tests/test_03_saml2.py 2017-01-10 20:38:32.541728380 -0600 |
165 |
-@@ -17,6 +17,7 @@ |
166 |
- import cElementTree as ElementTree |
167 |
- except ImportError: |
168 |
- from elementtree import ElementTree |
169 |
-+from defusedxml.common import EntitiesForbidden |
170 |
- |
171 |
- ITEMS = { |
172 |
- NameID: ["""<?xml version="1.0" encoding="utf-8"?> |
173 |
-@@ -27,7 +28,7 @@ |
174 |
- </NameID> |
175 |
- """, """<?xml version="1.0" encoding="utf-8"?> |
176 |
- <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion" |
177 |
-- SPNameQualifier="https://foo.example.com/sp" |
178 |
-+ SPNameQualifier="https://foo.example.com/sp" |
179 |
- Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_1632879f09d08ea5ede2dc667cbed7e429ebc4335c</NameID> |
180 |
- """, """<?xml version="1.0" encoding="utf-8"?> |
181 |
- <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion" |
182 |
-@@ -47,9 +48,9 @@ |
183 |
- SubjectConfirmationData: |
184 |
- """<?xml version="1.0" encoding="utf-8"?> |
185 |
- <SubjectConfirmationData xmlns="urn:oasis:names:tc:SAML:2.0:assertion" |
186 |
--InResponseTo="_1683146e27983964fbe7bf8f08961108d166a652e5" |
187 |
--NotOnOrAfter="2010-02-18T13:52:13.959Z" |
188 |
--NotBefore="2010-01-16T12:00:00Z" |
189 |
-+InResponseTo="_1683146e27983964fbe7bf8f08961108d166a652e5" |
190 |
-+NotOnOrAfter="2010-02-18T13:52:13.959Z" |
191 |
-+NotBefore="2010-01-16T12:00:00Z" |
192 |
- Recipient="http://192.168.0.10/saml/sp" />""", |
193 |
- SubjectConfirmation: |
194 |
- """<?xml version="1.0" encoding="utf-8"?> |
195 |
-@@ -166,6 +167,19 @@ |
196 |
- assert kl == None |
197 |
- |
198 |
- |
199 |
-+def test_create_class_from_xml_string_xxe(): |
200 |
-+ xml = """<?xml version="1.0"?> |
201 |
-+ <!DOCTYPE lolz [ |
202 |
-+ <!ENTITY lol "lol"> |
203 |
-+ <!ELEMENT lolz (#PCDATA)> |
204 |
-+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> |
205 |
-+ ]> |
206 |
-+ <lolz>&lol1;</lolz> |
207 |
-+ """ |
208 |
-+ with raises(EntitiesForbidden) as err: |
209 |
-+ create_class_from_xml_string(NameID, xml) |
210 |
-+ |
211 |
-+ |
212 |
- def test_ee_1(): |
213 |
- ee = saml2.extension_element_from_string( |
214 |
- """<?xml version='1.0' encoding='UTF-8'?><foo>bar</foo>""") |
215 |
-@@ -193,7 +207,7 @@ |
216 |
- def test_ee_3(): |
217 |
- ee = saml2.extension_element_from_string( |
218 |
- """<?xml version='1.0' encoding='UTF-8'?> |
219 |
-- <foo xmlns="urn:mace:example.com:saml:ns" |
220 |
-+ <foo xmlns="urn:mace:example.com:saml:ns" |
221 |
- id="xyz">bar</foo>""") |
222 |
- assert ee != None |
223 |
- print(ee.__dict__) |
224 |
-@@ -454,6 +468,19 @@ |
225 |
- assert nid.text.strip() == "http://federationX.org" |
226 |
- |
227 |
- |
228 |
-+def test_ee_xxe(): |
229 |
-+ xml = """<?xml version="1.0"?> |
230 |
-+ <!DOCTYPE lolz [ |
231 |
-+ <!ENTITY lol "lol"> |
232 |
-+ <!ELEMENT lolz (#PCDATA)> |
233 |
-+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> |
234 |
-+ ]> |
235 |
-+ <lolz>&lol1;</lolz> |
236 |
-+ """ |
237 |
-+ with raises(EntitiesForbidden): |
238 |
-+ saml2.extension_element_from_string(xml) |
239 |
-+ |
240 |
-+ |
241 |
- def test_extension_element_loadd(): |
242 |
- ava = {'attributes': {}, |
243 |
- 'tag': 'ExternalEntityAttributeAuthority', |
244 |
-diff -Naur pysaml2/tests/test_43_soap.py pysaml2.new/tests/test_43_soap.py |
245 |
---- pysaml2/tests/test_43_soap.py 2013-04-28 09:38:07.000000000 -0500 |
246 |
-+++ pysaml2.new/tests/test_43_soap.py 2017-01-10 20:39:53.730364008 -0600 |
247 |
-@@ -12,16 +12,20 @@ |
248 |
- import cElementTree as ElementTree |
249 |
- except ImportError: |
250 |
- from elementtree import ElementTree |
251 |
-+from defusedxml.common import EntitiesForbidden |
252 |
-+ |
253 |
-+from pytest import raises |
254 |
- |
255 |
- import saml2.samlp as samlp |
256 |
- from saml2.samlp import NAMESPACE as SAMLP_NAMESPACE |
257 |
-+from saml2 import soap |
258 |
- |
259 |
- NAMESPACE = "http://schemas.xmlsoap.org/soap/envelope/" |
260 |
- |
261 |
- example = """<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/"> |
262 |
- <Body> |
263 |
-- <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" |
264 |
-- xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" |
265 |
-+ <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" |
266 |
-+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" |
267 |
- ID="_6c3a4f8b9c2d" Version="2.0" IssueInstant="2004-03-27T08:42:00Z"> |
268 |
- <saml:Issuer>https://www.example.com/SAML</saml:Issuer> |
269 |
- <Status> |
270 |
-@@ -55,7 +59,7 @@ |
271 |
- envelope.tag = '{%s}Envelope' % NAMESPACE |
272 |
- body = ElementTree.Element('') |
273 |
- body.tag = '{%s}Body' % NAMESPACE |
274 |
-- envelope.append(body) |
275 |
-+ envelope.append(body) |
276 |
- request = samlp.AuthnRequest() |
277 |
- request.become_child_element_of(body) |
278 |
- |
279 |
-@@ -66,3 +70,42 @@ |
280 |
- assert len(body) == 1 |
281 |
- saml_part = body[0] |
282 |
- assert saml_part.tag == '{%s}AuthnRequest' % SAMLP_NAMESPACE |
283 |
-+ |
284 |
-+ |
285 |
-+def test_parse_soap_enveloped_saml_thingy_xxe(): |
286 |
-+ xml = """<?xml version="1.0"?> |
287 |
-+ <!DOCTYPE lolz [ |
288 |
-+ <!ENTITY lol "lol"> |
289 |
-+ <!ELEMENT lolz (#PCDATA)> |
290 |
-+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> |
291 |
-+ ]> |
292 |
-+ <lolz>&lol1;</lolz> |
293 |
-+ """ |
294 |
-+ with raises(EntitiesForbidden): |
295 |
-+ soap.parse_soap_enveloped_saml_thingy(xml, None) |
296 |
-+ |
297 |
-+ |
298 |
-+def test_class_instances_from_soap_enveloped_saml_thingies_xxe(): |
299 |
-+ xml = """<?xml version="1.0"?> |
300 |
-+ <!DOCTYPE lolz [ |
301 |
-+ <!ENTITY lol "lol"> |
302 |
-+ <!ELEMENT lolz (#PCDATA)> |
303 |
-+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> |
304 |
-+ ]> |
305 |
-+ <lolz>&lol1;</lolz> |
306 |
-+ """ |
307 |
-+ with raises(soap.XmlParseError): |
308 |
-+ soap.class_instances_from_soap_enveloped_saml_thingies(xml, None) |
309 |
-+ |
310 |
-+ |
311 |
-+def test_open_soap_envelope_xxe(): |
312 |
-+ xml = """<?xml version="1.0"?> |
313 |
-+ <!DOCTYPE lolz [ |
314 |
-+ <!ENTITY lol "lol"> |
315 |
-+ <!ELEMENT lolz (#PCDATA)> |
316 |
-+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> |
317 |
-+ ]> |
318 |
-+ <lolz>&lol1;</lolz> |
319 |
-+ """ |
320 |
-+ with raises(soap.XmlParseError): |
321 |
-+ soap.open_soap_envelope(xml) |
322 |
-diff -Naur pysaml2/tests/test_51_client.py pysaml2.new/tests/test_51_client.py |
323 |
---- pysaml2/tests/test_51_client.py 2015-12-11 05:10:01.000000000 -0600 |
324 |
-+++ pysaml2.new/tests/test_51_client.py 2017-01-10 20:42:12.819280442 -0600 |
325 |
-@@ -5,6 +5,7 @@ |
326 |
- import uuid |
327 |
- import six |
328 |
- from six.moves.urllib.parse import parse_qs, urlencode, urlparse |
329 |
-+from pytest import raises |
330 |
- from saml2.cert import OpenSSLWrapper |
331 |
- from saml2.xmldsig import SIG_RSA_SHA256 |
332 |
- from saml2 import BINDING_HTTP_POST |
333 |
-@@ -21,6 +22,7 @@ |
334 |
- from saml2.authn_context import INTERNETPROTOCOLPASSWORD |
335 |
- from saml2.client import Saml2Client |
336 |
- from saml2.config import SPConfig |
337 |
-+from saml2.pack import parse_soap_enveloped_saml |
338 |
- from saml2.response import LogoutResponse |
339 |
- from saml2.saml import NAMEID_FORMAT_PERSISTENT, EncryptedAssertion, Advice |
340 |
- from saml2.saml import NAMEID_FORMAT_TRANSIENT |
341 |
-@@ -34,6 +36,8 @@ |
342 |
- from saml2.s_utils import factory |
343 |
- from saml2.time_util import in_a_while, a_while_ago |
344 |
- |
345 |
-+from defusedxml.common import EntitiesForbidden |
346 |
-+ |
347 |
- from fakeIDP import FakeIDP |
348 |
- from fakeIDP import unpack_form |
349 |
- from pathutils import full_path |
350 |
-@@ -1445,6 +1449,18 @@ |
351 |
- 'http://www.example.com/login' |
352 |
- assert ac.authn_context_class_ref.text == INTERNETPROTOCOLPASSWORD |
353 |
- |
354 |
-+def test_parse_soap_enveloped_saml_xxe(): |
355 |
-+ xml = """<?xml version="1.0"?> |
356 |
-+ <!DOCTYPE lolz [ |
357 |
-+ <!ENTITY lol "lol"> |
358 |
-+ <!ELEMENT lolz (#PCDATA)> |
359 |
-+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> |
360 |
-+ ]> |
361 |
-+ <lolz>&lol1;</lolz> |
362 |
-+ """ |
363 |
-+ with raises(EntitiesForbidden): |
364 |
-+ parse_soap_enveloped_saml(xml, None) |
365 |
-+ |
366 |
- |
367 |
- # if __name__ == "__main__": |
368 |
- # tc = TestClient() |