Univention Bugzilla – Attachment 8362 Details for
Bug 43393
python-pysaml2: XML External Entity issue (4.1)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
CVE-2016-10127_fix-xxe-in-xml-parsing.patch
CVE-2016-10127_fix-xxe-in-xml-parsing.patch (text/plain), 8.54 KB, created by
Arvid Requate
on 2017-01-21 19:20:51 CET
(
hide
)
Description:
CVE-2016-10127_fix-xxe-in-xml-parsing.patch
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2017-01-21 19:20:51 CET
Size:
8.54 KB
patch
obsolete
>Description: CVE-2016-10127 Fix XXE in XML parsing (related to #366) > This fixes XXE issues on anything where pysaml2 parses XML directly as part of > issue #366. It doesn't address the xmlsec issues discussed on that ticket as > they are out of reach of a direct fix and need the underlying library to fix > this issue. > . > The patch has been backported form the 3.0 branch to 2.0 by zigo@debian.org. >From: Florian Rüchel <fruechel@atlassian.com> >Date: Mon, 31 Oct 2016 11:56:48 +1100 >Origin: https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b >Last-Update: 2017-01-09 > >--- python-pysaml2-2.0.0.orig/setup.py >+++ python-pysaml2-2.0.0/setup.py >@@ -46,7 +46,8 @@ install_requires = [ > 'pycrypto', # 'Crypto' > 'pytz', > 'pyOpenSSL', >- 'python-dateutil' >+ 'python-dateutil', >+ 'defusedxml' > ] > > tests_require = [ >--- python-pysaml2-2.0.0.orig/src/saml2/__init__.py >+++ python-pysaml2-2.0.0/src/saml2/__init__.py >@@ -33,6 +33,7 @@ except ImportError: > import cElementTree as ElementTree > except ImportError: > from elementtree import ElementTree >+import defusedxml.ElementTree > > root_logger = logging.getLogger(__name__) > root_logger.level = logging.NOTSET >@@ -82,7 +83,7 @@ def create_class_from_xml_string(target_ > the contents of the XML - or None if the root XML tag and namespace did > not match those of the target class. > """ >- tree = ElementTree.fromstring(xml_string) >+ tree = defusedxml.ElementTree.fromstring(xml_string) > return create_class_from_element_tree(target_class, tree) > > >@@ -264,7 +265,7 @@ class ExtensionElement(object): > > > def extension_element_from_string(xml_string): >- element_tree = ElementTree.fromstring(xml_string) >+ element_tree = defusedxml.ElementTree.fromstring(xml_string) > return _extension_element_from_element_tree(element_tree) > > >--- python-pysaml2-2.0.0.orig/src/saml2/pack.py >+++ python-pysaml2-2.0.0/src/saml2/pack.py >@@ -48,6 +48,7 @@ except ImportError: > import cElementTree as ElementTree > except ImportError: > from elementtree import ElementTree >+import defusedxml.ElementTree > > NAMESPACE = "http://schemas.xmlsoap.org/soap/envelope/" > FORM_SPEC = """<form method="post" action="%s"> >@@ -218,7 +219,7 @@ def parse_soap_enveloped_saml(text, body > :param text: The SOAP object as XML > :return: header parts and body as saml.samlbase instances > """ >- envelope = ElementTree.fromstring(text) >+ envelope = defusedxml.ElementTree.fromstring(text) > assert envelope.tag == '{%s}Envelope' % NAMESPACE > > #print len(envelope) >--- python-pysaml2-2.0.0.orig/src/saml2/soap.py >+++ python-pysaml2-2.0.0/src/saml2/soap.py >@@ -32,6 +32,7 @@ except ImportError: > except ImportError: > #noinspection PyUnresolvedReferences > from elementtree import ElementTree >+import defusedxml.ElementTree > > > logger = logging.getLogger(__name__) >@@ -146,7 +147,7 @@ def parse_soap_enveloped_saml_thingy(tex > :param expected_tags: What the tag of the SAML thingy is expected to be. > :return: SAML thingy as a string > """ >- envelope = ElementTree.fromstring(text) >+ envelope = defusedxml.ElementTree.fromstring(text) > > # Make sure it's a SOAP message > assert envelope.tag == '{%s}Envelope' % soapenv.NAMESPACE >@@ -196,7 +197,7 @@ def class_instances_from_soap_enveloped_ > :return: The body and headers as class instances > """ > try: >- envelope = ElementTree.fromstring(text) >+ envelope = defusedxml.ElementTree.fromstring(text) > except Exception, exc: > raise XmlParseError("%s" % exc) > >@@ -222,7 +223,7 @@ def open_soap_envelope(text): > :return: dictionary with two keys "body"/"header" > """ > try: >- envelope = ElementTree.fromstring(text) >+ envelope = defusedxml.ElementTree.fromstring(text) > except Exception, exc: > raise XmlParseError("%s" % exc) > >--- python-pysaml2-2.0.0.orig/tests/test_03_saml2.py >+++ python-pysaml2-2.0.0/tests/test_03_saml2.py >@@ -17,6 +17,7 @@ except ImportError: > import cElementTree as ElementTree > except ImportError: > from elementtree import ElementTree >+from defusedxml.common import EntitiesForbidden > > ITEMS = { > NameID: ["""<?xml version="1.0" encoding="utf-8"?> >@@ -166,6 +167,19 @@ def test_create_class_from_xml_string_wr > assert kl == None > > >+def test_create_class_from_xml_string_xxe(): >+ xml = """<?xml version="1.0"?> >+ <!DOCTYPE lolz [ >+ <!ENTITY lol "lol"> >+ <!ELEMENT lolz (#PCDATA)> >+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> >+ ]> >+ <lolz>&lol1;</lolz> >+ """ >+ with raises(EntitiesForbidden) as err: >+ create_class_from_xml_string(NameID, xml) >+ >+ > def test_ee_1(): > ee = saml2.extension_element_from_string( > """<?xml version='1.0' encoding='UTF-8'?><foo>bar</foo>""") >@@ -454,6 +468,19 @@ def test_ee_7(): > assert nid.text.strip() == "http://federationX.org" > > >+def test_ee_xxe(): >+ xml = """<?xml version="1.0"?> >+ <!DOCTYPE lolz [ >+ <!ENTITY lol "lol"> >+ <!ELEMENT lolz (#PCDATA)> >+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> >+ ]> >+ <lolz>&lol1;</lolz> >+ """ >+ with raises(EntitiesForbidden): >+ saml2.extension_element_from_string(xml) >+ >+ > def test_extension_element_loadd(): > ava = {'attributes': {}, > 'tag': 'ExternalEntityAttributeAuthority', >--- python-pysaml2-2.0.0.orig/tests/test_43_soap.py >+++ python-pysaml2-2.0.0/tests/test_43_soap.py >@@ -12,9 +12,13 @@ except ImportError: > import cElementTree as ElementTree > except ImportError: > from elementtree import ElementTree >+from defusedxml.common import EntitiesForbidden >+ >+from pytest import raises > > import saml2.samlp as samlp > from saml2.samlp import NAMESPACE as SAMLP_NAMESPACE >+from saml2 import soap > > NAMESPACE = "http://schemas.xmlsoap.org/soap/envelope/" > >@@ -66,3 +70,42 @@ def test_make_soap_envelope(): > assert len(body) == 1 > saml_part = body[0] > assert saml_part.tag == '{%s}AuthnRequest' % SAMLP_NAMESPACE >+ >+ >+def test_parse_soap_enveloped_saml_thingy_xxe(): >+ xml = """<?xml version="1.0"?> >+ <!DOCTYPE lolz [ >+ <!ENTITY lol "lol"> >+ <!ELEMENT lolz (#PCDATA)> >+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> >+ ]> >+ <lolz>&lol1;</lolz> >+ """ >+ with raises(EntitiesForbidden): >+ soap.parse_soap_enveloped_saml_thingy(xml, None) >+ >+ >+def test_class_instances_from_soap_enveloped_saml_thingies_xxe(): >+ xml = """<?xml version="1.0"?> >+ <!DOCTYPE lolz [ >+ <!ENTITY lol "lol"> >+ <!ELEMENT lolz (#PCDATA)> >+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> >+ ]> >+ <lolz>&lol1;</lolz> >+ """ >+ with raises(soap.XmlParseError): >+ soap.class_instances_from_soap_enveloped_saml_thingies(xml, None) >+ >+ >+def test_open_soap_envelope_xxe(): >+ xml = """<?xml version="1.0"?> >+ <!DOCTYPE lolz [ >+ <!ENTITY lol "lol"> >+ <!ELEMENT lolz (#PCDATA)> >+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> >+ ]> >+ <lolz>&lol1;</lolz> >+ """ >+ with raises(soap.XmlParseError): >+ soap.open_soap_envelope(xml) >--- python-pysaml2-2.0.0.orig/tests/test_51_client.py >+++ python-pysaml2-2.0.0/tests/test_51_client.py >@@ -4,6 +4,7 @@ > import base64 > import urllib > import urlparse >+ > from saml2.authn_context import INTERNETPROTOCOLPASSWORD > from saml2.response import LogoutResponse > >@@ -11,6 +12,7 @@ from saml2.client import Saml2Client > from saml2 import samlp, BINDING_HTTP_POST, BINDING_HTTP_REDIRECT > from saml2 import saml, config, class_name > from saml2.config import SPConfig >+from saml2.pack import parse_soap_enveloped_saml > from saml2.saml import NAMEID_FORMAT_PERSISTENT > from saml2.saml import NAMEID_FORMAT_TRANSIENT > from saml2.saml import NameID >@@ -18,6 +20,7 @@ from saml2.server import Server > from saml2.time_util import in_a_while > > from py.test import raises >+from defusedxml.common import EntitiesForbidden > from fakeIDP import FakeIDP, unpack_form > > >@@ -439,6 +442,17 @@ class TestClientWithDummy(): > 'http://www.example.com/login' > assert ac.authn_context_class_ref.text == INTERNETPROTOCOLPASSWORD > >+def test_parse_soap_enveloped_saml_xxe(): >+ xml = """<?xml version="1.0"?> >+ <!DOCTYPE lolz [ >+ <!ENTITY lol "lol"> >+ <!ELEMENT lolz (#PCDATA)> >+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> >+ ]> >+ <lolz>&lol1;</lolz> >+ """ >+ with raises(EntitiesForbidden): >+ parse_soap_enveloped_saml(xml, None) > > # if __name__ == "__main__": > # tc = TestClient()
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8362">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 43393
: 8362