Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.2:Test
python-bugzilla
python-bugzilla-0.6.2-CVE-2013-2191-ssl-validat...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File python-bugzilla-0.6.2-CVE-2013-2191-ssl-validate.patch of Package python-bugzilla
Index: python-bugzilla-0.6.2/bugzilla/base.py =================================================================== --- python-bugzilla-0.6.2.orig/bugzilla/base.py 2013-06-28 12:36:49.861947869 +0200 +++ python-bugzilla-0.6.2/bugzilla/base.py 2013-06-28 13:18:08.508875654 +0200 @@ -10,6 +10,7 @@ # the full text of the license. import xmlrpclib, urllib2 +import httplib, socket, ssl try: import cookielib except ImportError: @@ -102,7 +103,8 @@ cookies persistently. ''' def __init__(self, url=None, user=None, password=None, - cookiefile=os.path.expanduser('~/.bugzillacookies')): + cookiefile=os.path.expanduser('~/.bugzillacookies'), + sslverify=True): # Settings the user might want to tweak self.user = user or '' self.password = password or '' @@ -115,6 +117,7 @@ else: self._cookiefile = True self.cookiefile = cookiefile + self._sslverify = bool(sslverify) self.user_agent = user_agent self.logged_in = False @@ -253,6 +256,11 @@ If 'user' and 'password' are both set, we'll run login(). Otherwise you'll have to login() yourself before some methods will work. ''' + + # init ssl verification + if self._sslverify: + httplib.HTTPSConnection = VerifiedHTTPSConnection + # Set up the transport if url.startswith('https'): self._transport = SafeCookieTransport() @@ -1050,6 +1058,44 @@ else: request = request_with_cookies # python 2.6 and earlier + +class SSLVerifyError(Exception): + pass + +class VerifiedHTTPSConnection(httplib.HTTPSConnection): + + def _get_valid_hosts(self, cert): + if 'subjectAltName' in cert: + return [x[1] for x in cert['subjectAltName'] + if x[0].lower() == 'dns'] + else: + return [x[0][1] for x in cert['subject'] + if x[0][0].lower() == 'commonname'] + + def validate_hosts(self): + cert = self.sock.getpeercert() + hosts = self._get_valid_hosts(cert) + import re + for host in hosts: + host_re = host.replace('.', '\.').replace('*', '[^.]*') + if re.search('^%s$' % (host_re,), self.host, re.I): + return + raise SSLVerifyError("hostnames in certificate don't match request") + + def connect(self): + # overrides the version in httplib so that we do + # certificate verification + sock = socket.create_connection((self.host, self.port), + self.timeout) + if self._tunnel_host: + self.sock = sock + self._tunnel() + # wrap the socket using verification with the root + # certs in trusted_root_certs + self.sock = ssl.wrap_socket(sock, cert_reqs=ssl.CERT_REQUIRED, ca_certs='/etc/ssl/certs') + self.validate_hosts() + + class BasicAuthTransport(xmlrpclib.SafeTransport): """A subclass of xmlrpclib.SafeTransport that allows setting HTTP Basic Auth without exposing it as part of URL in backtraces.""" Index: python-bugzilla-0.6.2/bin/bugzilla =================================================================== --- python-bugzilla-0.6.2.orig/bin/bugzilla 2013-06-28 12:36:49.839947240 +0200 +++ python-bugzilla-0.6.2/bin/bugzilla 2013-06-28 13:16:52.103689280 +0200 @@ -55,6 +55,8 @@ p.add_option('--bztype',default='auto', help="Bugzilla type. Autodetected if not set. " "Available types: %s" % " ".join(bugzilla.classlist)) + p.add_option('--nosslverify', dest='sslverify', action='store_false', default=True, + help="don't error on invalid bugzilla SSL certificate") p.add_option('--user', help="username") p.add_option('--password', @@ -363,7 +365,7 @@ bzclass = getattr(bugzilla,global_opt.bztype) else: parser.error("bztype must be one of: %s" % str(bugzilla.classlist)) - bz=bzclass(url=global_opt.bugzilla) + bz=bzclass(url=global_opt.bugzilla, sslverify=global_opt.sslverify) # Handle 'login' action if action == 'login':
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor