From 25d18d0e7d7de6add0d812476635e820de1e326c Mon Sep 17 00:00:00 2001
From: wangshuo <wangshuo@kylinos.cn>
Date: Tue, 29 Oct 2024 21:02:21 +0800
Subject: [PATCH] backport some security-related upstream patches

---
 ...-not-expose-on-disk-location-from-Si.patch | 64 +++++++++++++
 ...-directory-traversal-security-flaw-i.patch | 89 +++++++++++++++++++
 python3.spec                                  | 16 +++-
 3 files changed, 168 insertions(+), 1 deletion(-)
 create mode 100644 backport-3.7-gh-104049-do-not-expose-on-disk-location-from-Si.patch
 create mode 100644 backport-3.7-gh-99889-Fix-directory-traversal-security-flaw-i.patch

diff --git a/backport-3.7-gh-104049-do-not-expose-on-disk-location-from-Si.patch b/backport-3.7-gh-104049-do-not-expose-on-disk-location-from-Si.patch
new file mode 100644
index 0000000..f6385be
--- /dev/null
+++ b/backport-3.7-gh-104049-do-not-expose-on-disk-location-from-Si.patch
@@ -0,0 +1,64 @@
+From 4e2dd0c3626649224b87b757a292959d94152a00 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Fri, 26 May 2023 23:41:46 -0700
+Subject: [PATCH] [3.7] gh-104049: do not expose on-disk location from
+ SimpleHTTPRequestHandler (GH-104122)
+
+Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)
+
+(cherry picked from commit c7c3a60c88de61a79ded9fdaf6bc6a29da4efb9a)
+
+Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
+---
+ Lib/http/server.py                                        | 2 +-
+ Lib/test/test_httpservers.py                              | 8 ++++++++
+ .../2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst        | 2 ++
+ 3 files changed, 11 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst
+
+diff --git a/Lib/http/server.py b/Lib/http/server.py
+index ba2acbc98bf..beabe3de7ab 100644
+--- a/Lib/http/server.py
++++ b/Lib/http/server.py
+@@ -777,7 +777,7 @@ class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
+             displaypath = urllib.parse.unquote(self.path,
+                                                errors='surrogatepass')
+         except UnicodeDecodeError:
+-            displaypath = urllib.parse.unquote(path)
++            displaypath = urllib.parse.unquote(self.path)
+         displaypath = html.escape(displaypath, quote=False)
+         enc = sys.getfilesystemencoding()
+         title = 'Directory listing for %s' % displaypath
+diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
+index b3e15c475a4..8c9be689003 100644
+--- a/Lib/test/test_httpservers.py
++++ b/Lib/test/test_httpservers.py
+@@ -413,6 +413,14 @@ class SimpleHTTPServerTestCase(BaseTestCase):
+         self.check_status_and_reason(response, HTTPStatus.OK,
+                                      data=support.TESTFN_UNDECODABLE)
+ 
++    def test_undecodable_parameter(self):
++        # sanity check using a valid parameter
++        response = self.request(self.base_url + '/?x=123').read()
++        self.assertRegex(response, f'listing for {self.base_url}/\?x=123'.encode('latin1'))
++        # now the bogus encoding
++        response = self.request(self.base_url + '/?x=%bb').read()
++        self.assertRegex(response, f'listing for {self.base_url}/\?x=\xef\xbf\xbd'.encode('latin1'))
++
+     def test_get_dir_redirect_location_domain_injection_bug(self):
+         """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.
+ 
+diff --git a/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst b/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst
+new file mode 100644
+index 00000000000..969deb26bfe
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2023-05-01-15-03-25.gh-issue-104049.b01Y3g.rst
+@@ -0,0 +1,2 @@
++Do not expose the local on-disk location in directory indexes
++produced by :class:`http.client.SimpleHTTPRequestHandler`.
+-- 
+2.25.1
+
diff --git a/backport-3.7-gh-99889-Fix-directory-traversal-security-flaw-i.patch b/backport-3.7-gh-99889-Fix-directory-traversal-security-flaw-i.patch
new file mode 100644
index 0000000..81d07dc
--- /dev/null
+++ b/backport-3.7-gh-99889-Fix-directory-traversal-security-flaw-i.patch
@@ -0,0 +1,89 @@
+From 1ce801b81ce63867ce382f6e9f56873a844c2bc6 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Sat, 27 May 2023 00:04:28 -0700
+Subject: [PATCH] [3.7] gh-99889: Fix directory traversal security flaw in
+ uu.decode() (GH-104333)
+
+(cherry picked from commit 0aeda297931820436a50b78f4f7f0597274b5df4)
+Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
+---
+ Lib/test/test_uu.py                           | 28 +++++++++++++++++++
+ Lib/uu.py                                     |  9 +++++-
+ ...3-05-02-17-56-32.gh-issue-99889.l664SU.rst |  2 ++
+ 3 files changed, 38 insertions(+), 1 deletion(-)
+ mode change 100755 => 100644 Lib/uu.py
+ create mode 100644 Misc/NEWS.d/next/Security/2023-05-02-17-56-32.gh-issue-99889.l664SU.rst
+
+diff --git a/Lib/test/test_uu.py b/Lib/test/test_uu.py
+index c8709f7a0d6..e5d93d6cd1c 100644
+--- a/Lib/test/test_uu.py
++++ b/Lib/test/test_uu.py
+@@ -145,6 +145,34 @@ class UUTest(unittest.TestCase):
+         uu.encode(inp, out, filename)
+         self.assertIn(safefilename, out.getvalue())
+ 
++    def test_no_directory_traversal(self):
++        relative_bad = b"""\
++begin 644 ../../../../../../../../tmp/test1
++$86)C"@``
++`
++end
++"""
++        with self.assertRaisesRegex(uu.Error, 'directory'):
++            uu.decode(io.BytesIO(relative_bad))
++        if os.altsep:
++            relative_bad_bs = relative_bad.replace(b'/', b'\\')
++            with self.assertRaisesRegex(uu.Error, 'directory'):
++                uu.decode(io.BytesIO(relative_bad_bs))
++
++        absolute_bad = b"""\
++begin 644 /tmp/test2
++$86)C"@``
++`
++end
++"""
++        with self.assertRaisesRegex(uu.Error, 'directory'):
++            uu.decode(io.BytesIO(absolute_bad))
++        if os.altsep:
++            absolute_bad_bs = absolute_bad.replace(b'/', b'\\')
++            with self.assertRaisesRegex(uu.Error, 'directory'):
++                uu.decode(io.BytesIO(absolute_bad_bs))
++
++
+ class UUStdIOTest(unittest.TestCase):
+ 
+     def setUp(self):
+diff --git a/Lib/uu.py b/Lib/uu.py
+old mode 100755
+new mode 100644
+index 9f1f37f1a64..9fe252a639e
+--- a/Lib/uu.py
++++ b/Lib/uu.py
+@@ -130,7 +130,14 @@ def decode(in_file, out_file=None, mode=None, quiet=False):
+             # If the filename isn't ASCII, what's up with that?!?
+             out_file = hdrfields[2].rstrip(b' \t\r\n\f').decode("ascii")
+             if os.path.exists(out_file):
+-                raise Error('Cannot overwrite existing file: %s' % out_file)
++                raise Error(f'Cannot overwrite existing file: {out_file}')
++            if (out_file.startswith(os.sep) or
++                f'..{os.sep}' in out_file or (
++                    os.altsep and
++                    (out_file.startswith(os.altsep) or
++                     f'..{os.altsep}' in out_file))
++               ):
++                raise Error(f'Refusing to write to {out_file} due to directory traversal')
+         if mode is None:
+             mode = int(hdrfields[1], 8)
+         #
+diff --git a/Misc/NEWS.d/next/Security/2023-05-02-17-56-32.gh-issue-99889.l664SU.rst b/Misc/NEWS.d/next/Security/2023-05-02-17-56-32.gh-issue-99889.l664SU.rst
+new file mode 100644
+index 00000000000..b7002e81b6b
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2023-05-02-17-56-32.gh-issue-99889.l664SU.rst
+@@ -0,0 +1,2 @@
++Fixed a security in flaw in :func:`uu.decode` that could allow for
++directory traversal based on the input if no ``out_file`` was specified.
+-- 
+2.25.1
+
diff --git a/python3.spec b/python3.spec
index 84339f9..6f57449 100644
--- a/python3.spec
+++ b/python3.spec
@@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/
 
 Version: 3.7.9
-Release: 40
+Release: 41
 License: Python-2.0
 
 %global branchversion 3.7
@@ -189,6 +189,9 @@ Patch9008:  backport-3.7-gh-107845-Fix-symlink-handling-for-tarfile.data_.patch
 # fix test error
 Patch9009:  backport-3.7-gh-115133-Fix-test_xml_etree-error-with-expat-ve.patch
 
+Patch9010:  backport-3.7-gh-104049-do-not-expose-on-disk-location-from-Si.patch
+Patch9011:  backport-3.7-gh-99889-Fix-directory-traversal-security-flaw-i.patch
+
 
 Provides: python%{branchversion} = %{version}-%{release}
 Provides: python(abi) = %{branchversion}
@@ -358,6 +361,9 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch9008 -p1
 %patch9009 -p1
 
+%patch9010 -p1
+%patch9011 -p1
+
 sed -i "s/generic_os/%{_vendor}/g" Lib/platform.py
 rm configure pyconfig.h.in
 
@@ -962,6 +968,14 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*
 
 %changelog
+* Tue Oct 29 2024 wangshuo <wangshuo@kylinos.cn> - 3.7.9-41
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:backport upstream patches
+-      gh-104049: do not expose on-disk location from SimpleHTTPRequestHandler
+-      gh-99889: Fix directory traversal security flaw in uu.decode()
+
 * Fri Oct 25 2024 wangshuo <wangshuo@kylinos.cn> - 3.7.9-40
 - Type:CVE
 - CVE:CVE-2007-4559
-- 
Gitee