Apply python/cpython@75a875e

gevent · Feb 12, 2024 · bd35572 · bd35572
1 parent af1c3a9
commit bd35572
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 8 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -84,6 +84,11 @@ jobs:
         # with it. That means for the bulk of our testing we need to
         # stick to 3.9.
         # PyPy 7.3.13 started crashing for unknown reasons.
+        # CAREFUL: Some of the tests are only run on specific versions of Python,
+        # as dictated by the conditions found below. So when you change a version,
+        # for example to force a specific patch release, don't forget to change conditions!
+        # XXX: We could probably make this easier on ourself by adding a specific
+        # key to the matrix in the version we care about and checking for that matrix key.
         python-version: ["3.12.1", "pypy-3.10-v7.3.12", 3.8, 3.9, '3.10', '3.11.8']
         os: [macos-latest, ubuntu-latest]
         exclude:
@@ -275,7 +280,7 @@ jobs:
           python -m gevent.tests --second-chance $G_USE_COV `(cd src/gevent/tests >/dev/null && ls test__*subprocess*.py)`
       - name: "Tests: c-ares resolver"
         # This sometimes fails on mac.
-        if: (matrix.python-version == '3.11') && startsWith(runner.os, 'Linux')
+        if: (matrix.python-version == '3.11.8') && startsWith(runner.os, 'Linux')
         env:
           GEVENT_RESOLVER: ares
         run: |
@@ -292,27 +297,27 @@ jobs:
         # Run the leaktests;
         # This is incredibly important and we MUST have an environment that successfully passes
         # these tests.
-        if: (startsWith(matrix.python-version, '3.11')) && startsWith(runner.os, 'Linux')
+        if: (startsWith(matrix.python-version, '3.11.8')) && startsWith(runner.os, 'Linux')
         env:
           GEVENTTEST_LEAKCHECK: 1
         run: |
           python -m gevent.tests --second-chance --ignore tests_that_dont_do_leakchecks.txt
       - name: "Tests: PURE_PYTHON"
         # No compiled cython modules on CPython, using the default backend. Get coverage here.
         # We should only need to run this for a single version.
-        if: (matrix.python-version == '3.11') && startsWith(runner.os, 'Linux')
+        if: (matrix.python-version == '3.11.8') && startsWith(runner.os, 'Linux')
         env:
           PURE_PYTHON: 1
         run: |
           python -mgevent.tests --second-chance --coverage
       - name: "Tests: libuv"
-        if: (startsWith(matrix.python-version, '3.11'))
+        if: (startsWith(matrix.python-version, '3.11.8'))
         env:
           GEVENT_LOOP: libuv
         run: |
           python -m gevent.tests --second-chance $G_USE_COV
       - name: "Tests: libev-cffi"
-        if: (matrix.python-version == '3.11') && startsWith(runner.os, 'Linux')
+        if: (matrix.python-version == '3.11.8') && startsWith(runner.os, 'Linux')
         env:
           GEVENT_LOOP: libev-cffi
         run: |

diff --git a/docs/changes/2020.bugfix b/docs/changes/2020.bugfix
@@ -7,3 +7,4 @@ Other updates for compatibility with the standard library include:
 - ``SSLSocket.recv_into`` and ``SSLSocket.read`` no longer require the
   buffer to implement ``len`` and now work with buffers whose size is
   not 1.
+- gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw.
diff --git a/src/gevent/ssl.py b/src/gevent/ssl.py
@@ -16,10 +16,9 @@
 
 
 from gevent.socket import socket, timeout_default
-from gevent.socket import error as socket_error
 from gevent.socket import timeout as _socket_timeout
 from gevent._util import copy_globals
-
+socket_error = OSError
 
 from weakref import ref as _wref
 
@@ -293,12 +292,43 @@ def __init__(self, sock=None, keyfile=None, certfile=None,
         # see if we're connected
         try:
             self._sock.getpeername()
-        except socket_error as e:
+        except OSError as e:
             if e.errno != errno.ENOTCONN:
                 # This file descriptor is hosed, shared or not.
                 # Clean up.
                 self.close()
                 raise
+            # Next block is originally from
+            # https://github.com/python/cpython/commit/75a875e0df0530b75b1470d797942f90f4a718d3,
+            # intended to fix https://github.com/python/cpython/issues/108310
+            blocking = self.getblocking()
+            self.setblocking(False)
+            try:
+                # We are not connected so this is not supposed to block, but
+                # testing revealed otherwise on macOS and Windows so we do
+                # the non-blocking dance regardless. Our raise when any data
+                # is found means consuming the data is harmless.
+                notconn_pre_handshake_data = self.recv(1)
+            except OSError as e: # pylint:disable=redefined-outer-name
+                # EINVAL occurs for recv(1) on non-connected on unix sockets.
+                if e.errno not in (errno.ENOTCONN, errno.EINVAL):
+                    raise
+                notconn_pre_handshake_data = b''
+            self.setblocking(blocking)
+            if notconn_pre_handshake_data:
+                # This prevents pending data sent to the socket before it was
+                # closed from escaping to the caller who could otherwise
+                # presume it came through a successful TLS connection.
+                reason = "Closed before TLS handshake with data in recv buffer."
+                notconn_pre_handshake_data_error = SSLError(e.errno, reason)
+                # Add the SSLError attributes that _ssl.c always adds.
+                notconn_pre_handshake_data_error.reason = reason
+                notconn_pre_handshake_data_error.library = None
+                try:
+                    self.close()
+                except OSError:
+                    pass
+                raise notconn_pre_handshake_data_error
         else:
             connected = True
         self._connected = connected