From 6909de1779aeb776394c329729b6c26658f706cd Mon Sep 17 00:00:00 2001
From: shixuantong <1726671442@qq.com>
Date: Fri, 1 Jul 2022 16:49:05 +0800
Subject: [PATCH] Modify the solution of CVE-2015-20107

---
 backport-CVE-2015-20107.patch  | 149 +++++++++++++++++++++++++++++++++
 openEuler-CVE-2015-20107.patch |  43 ----------
 python3.spec                   |  14 ++--
 3 files changed, 158 insertions(+), 48 deletions(-)
 create mode 100644 backport-CVE-2015-20107.patch
 delete mode 100644 openEuler-CVE-2015-20107.patch

diff --git a/backport-CVE-2015-20107.patch b/backport-CVE-2015-20107.patch
new file mode 100644
index 0000000..56235c6
--- /dev/null
+++ b/backport-CVE-2015-20107.patch
@@ -0,0 +1,149 @@
+From b9509ba7a9c668b984dab876c7926fe1dc5aa0ba Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Fri, 3 Jun 2022 11:43:35 +0200
+Subject: [PATCH] gh-68966: Make mailcap refuse to match unsafe
+ filenames/types/params (GH-91993)
+
+---
+ Doc/library/mailcap.rst                       | 12 +++++++++
+ Lib/mailcap.py                                | 26 +++++++++++++++++--
+ Lib/test/test_mailcap.py                      |  8 ++++--
+ ...2-04-27-18-25-30.gh-issue-68966.gjS8zs.rst |  4 +++
+ 4 files changed, 46 insertions(+), 4 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+
+diff --git a/Doc/library/mailcap.rst b/Doc/library/mailcap.rst
+index 5490c8468d..bfaedb4609 100644
+--- a/Doc/library/mailcap.rst
++++ b/Doc/library/mailcap.rst
+@@ -60,6 +60,18 @@ standard.  However, mailcap files are supported on most Unix systems.
+    use) to determine whether or not the mailcap line applies.  :func:`findmatch`
+    will automatically check such conditions and skip the entry if the check fails.
+ 
++   .. versionchanged:: 3.11
++
++      To prevent security issues with shell metacharacters (symbols that have
++      special effects in a shell command line), ``findmatch`` will refuse
++      to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
++      into the returned command line.
++
++      If a disallowed character appears in *filename*, ``findmatch`` will always
++      return ``(None, None)`` as if no entry was found.
++      If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
++      ``findmatch`` will ignore all mailcap entries which use that value.
++      A :mod:`warning <warnings>` will be raised in either case.
+ 
+ .. function:: getcaps()
+ 
+diff --git a/Lib/mailcap.py b/Lib/mailcap.py
+index 856b6a5547..7278ea7051 100644
+--- a/Lib/mailcap.py
++++ b/Lib/mailcap.py
+@@ -2,6 +2,7 @@
+ 
+ import os
+ import warnings
++import re
+ 
+ __all__ = ["getcaps","findmatch"]
+ 
+@@ -19,6 +20,11 @@ def lineno_sort_key(entry):
+     else:
+         return 1, 0
+ 
++_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
++
++class UnsafeMailcapInput(Warning):
++    """Warning raised when refusing unsafe input"""
++
+ 
+ # Part 1: top-level interface.
+ 
+@@ -171,15 +177,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
+     entry to use.
+ 
+     """
++    if _find_unsafe(filename):
++        msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
++        warnings.warn(msg, UnsafeMailcapInput)
++        return None, None
+     entries = lookup(caps, MIMEtype, key)
+     # XXX This code should somehow check for the needsterminal flag.
+     for e in entries:
+         if 'test' in e:
+             test = subst(e['test'], filename, plist)
++            if test is None:
++                continue
+             if test and os.system(test) != 0:
+                 continue
+         command = subst(e[key], MIMEtype, filename, plist)
+-        return command, e
++        if command is not None:
++            return command, e
+     return None, None
+ 
+ def lookup(caps, MIMEtype, key=None):
+@@ -212,6 +225,10 @@ def subst(field, MIMEtype, filename, plist=[]):
+             elif c == 's':
+                 res = res + filename
+             elif c == 't':
++                if _find_unsafe(MIMEtype):
++                    msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
++                    warnings.warn(msg, UnsafeMailcapInput)
++                    return None
+                 res = res + MIMEtype
+             elif c == '{':
+                 start = i
+@@ -219,7 +236,12 @@ def subst(field, MIMEtype, filename, plist=[]):
+                     i = i+1
+                 name = field[start:i]
+                 i = i+1
+-                res = res + findparam(name, plist)
++                param = findparam(name, plist)
++                if _find_unsafe(param):
++                    msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
++                    warnings.warn(msg, UnsafeMailcapInput)
++                    return None
++                res = res + param
+             # XXX To do:
+             # %n == number of parts if type is multipart/*
+             # %F == list of alternating type and filename for parts
+diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
+index d3995b1472..8185f4a780 100644
+--- a/Lib/test/test_mailcap.py
++++ b/Lib/test/test_mailcap.py
+@@ -128,7 +128,8 @@ def test_subst(self):
+             (["", "audio/*", "foo.txt"], ""),
+             (["echo foo", "audio/*", "foo.txt"], "echo foo"),
+             (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
+-            (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
++            (["echo %t", "audio/*", "foo.txt"], None),
++            (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
+             (["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
+             (["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
+             (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
+@@ -212,7 +213,10 @@ def test_findmatch(self):
+              ('"An audio fragment"', audio_basic_entry)),
+             ([c, "audio/*"],
+              {"filename": fname},
+-             ("/usr/local/bin/showaudio audio/*", audio_entry)),
++             (None, None)),
++            ([c, "audio/wav"],
++             {"filename": fname},
++             ("/usr/local/bin/showaudio audio/wav", audio_entry)),
+             ([c, "message/external-body"],
+              {"plist": plist},
+              ("showexternal /dev/null default john python.org     /tmp foo bar", message_entry))
+diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+new file mode 100644
+index 0000000000..da81a1f699
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+@@ -0,0 +1,4 @@
++The deprecated mailcap module now refuses to inject unsafe text (filenames,
++MIME types, parameters) into shell commands. Instead of using such text, it
++will warn and act as if a match was not found (or for test commands, as if
++the test failed).
+-- 
+2.23.0
+
diff --git a/openEuler-CVE-2015-20107.patch b/openEuler-CVE-2015-20107.patch
deleted file mode 100644
index 136891c..0000000
--- a/openEuler-CVE-2015-20107.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From c7c5f7f272659981f4c6bbfa212257945c86d17c Mon Sep 17 00:00:00 2001
-From: shixuantong <shixuantong@h-partners.com>
-Date: Sat, 14 May 2022 16:50:02 +0800
-Subject: [PATCH] fix CVE-2015-20107
-
----
- Lib/mailcap.py | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/Lib/mailcap.py b/Lib/mailcap.py
-index bd0fc09..1ad3dd5 100644
---- a/Lib/mailcap.py
-+++ b/Lib/mailcap.py
-@@ -2,6 +2,7 @@
- 
- import os
- import warnings
-+from shlex import quote
- 
- __all__ = ["getcaps","findmatch"]
- 
-@@ -203,8 +204,6 @@ def subst(field, MIMEtype, filename, plist=[]):
-             c = field[i]; i = i+1
-             if c == '%':
-                 res = res + c
--            elif c == 's':
--                res = res + filename
-             elif c == 't':
-                 res = res + MIMEtype
-             elif c == '{':
-@@ -219,6 +218,9 @@ def subst(field, MIMEtype, filename, plist=[]):
-             # %F == list of alternating type and filename for parts
-             else:
-                 res = res + '%' + c
-+    res = res.replace("'%s'", quote(filename))
-+    res = res.replace('"%s"',quote(filename))
-+    res = res.replace('%s',quote(filename))
-     return res
- 
- def findparam(name, plist):
--- 
-1.8.3.1
-
diff --git a/python3.spec b/python3.spec
index 1157b6d..b18b210 100644
--- a/python3.spec
+++ b/python3.spec
@@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/
 
 Version: 3.7.9
-Release: 22
+Release: 23
 License: Python
 
 %global branchversion 3.7
@@ -160,8 +160,7 @@ Patch6049: backport-bpo-41815-SQLite-segfault-if-backup-called-on-closed.patch
 Patch6050: backport-bpo-45001-Make-email-date-parsing-more-robust-agains.patch
 Patch6051: backport-3.7-bpo-43124-Fix-smtplib-multiple-CRLF-injection-GH.patch
 Patch6052: backport-bpo-46811-Make-test-suite-support-Expat-2.4.5.patch
-
-Patch9000: openEuler-CVE-2015-20107.patch
+Patch6053: backport-CVE-2015-20107.patch
 
 Recommends: %{name}-help = %{version}-%{release}
 Provides: python%{branchversion} = %{version}-%{release}
@@ -308,8 +307,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch6050 -p1
 %patch6051 -p1
 %patch6052 -p1
-
-%patch9000 -p1
+%patch6053 -p1
 
 sed -i "s/generic_os/%{_vendor}/g" Lib/platform.py
 rm configure pyconfig.h.in
@@ -911,6 +909,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*
 
 %changelog
+* Fri Jul 01 2022 shixuantong <shixuantong@h-partners.com> - 3.7.9-23
+- Type:CVE
+- CVE:CVE-2015-20107
+- SUG:NA
+- DESC:Modify the solution of CVE-2015-20107
+
 * Sat May 14 2022 shixuantong <shixuantong@h-partners.com> - 3.7.9-22
 - Type:CVE
 - CVE:CVE-2015-20107
-- 
Gitee