diff options
Diffstat (limited to 'meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch')
-rw-r--r-- | meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch new file mode 100644 index 0000000000..3a0f4324a1 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch @@ -0,0 +1,117 @@ +From db1457abec7fe27148673f5f8bfdf5c52eb7f29f Mon Sep 17 00:00:00 2001 +From: David Lord <davidism@gmail.com> +Date: Wed, 10 May 2023 11:33:18 +0000 +Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q + +don't strip leading `=` when parsing cookie + +"src/werkzeug/sansio/http.py" file is not available in the current recipe +version 2.1.1 and this has been introduced from 2.2.0 version. Before 2.2.0 +version, this http.py file was only available in the "src/werkzeug/http.py" +and we could see the same functions available there which are getting modified +in the CVE fix commit. Hence, modifying the same at "src/werkzeug/http.py" file. + +CVE: CVE-2023-23934 + +Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + CHANGES.rst | 3 +++ + src/werkzeug/_internal.py | 13 +++++++++---- + src/werkzeug/http.py | 4 ---- + tests/test_http.py | 4 +++- + 4 files changed, 15 insertions(+), 9 deletions(-) + +diff --git a/CHANGES.rst b/CHANGES.rst +index 6e809ba..13ef75b 100644 +--- a/CHANGES.rst ++++ b/CHANGES.rst +@@ -4,6 +4,9 @@ + ``RequestEntityTooLarge`` exception is raised on parsing. This mitigates a DoS + attack where a larger number of form/file parts would result in disproportionate + resource use. ++- A cookie header that starts with ``=`` is treated as an empty key and discarded, ++ rather than stripping the leading ``==``. ++ + + Version 2.1.1 + ------------- +diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py +index a8b3523..d6290ba 100644 +--- a/src/werkzeug/_internal.py ++++ b/src/werkzeug/_internal.py +@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].") + _legal_cookie_chars_re = rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]" + _cookie_re = re.compile( + rb""" +- (?P<key>[^=;]+) ++ (?P<key>[^=;]*) + (?:\s*=\s* + (?P<val> + "(?:[^\\"]|\\.)*" | +@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> t.Iterator[t.Tuple[bytes, bytes]]: + """Lowlevel cookie parsing facility that operates on bytes.""" + i = 0 + n = len(b) ++ b += b";" + + while i < n: +- match = _cookie_re.search(b + b";", i) ++ match = _cookie_re.match(b, i) ++ + if not match: + break + +- key = match.group("key").strip() +- value = match.group("val") or b"" + i = match.end(0) ++ key = match.group("key").strip() ++ ++ if not key: ++ continue + ++ value = match.group("val") or b"" + yield key, _cookie_unquote(value) + + +diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py +index 9369900..ae133e3 100644 +--- a/src/werkzeug/http.py ++++ b/src/werkzeug/http.py +@@ -1205,10 +1205,6 @@ def parse_cookie( + def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]: + for key, val in _cookie_parse_impl(header): # type: ignore + key_str = _to_str(key, charset, errors, allow_none_charset=True) +- +- if not key_str: +- continue +- + val_str = _to_str(val, charset, errors, allow_none_charset=True) + yield key_str, val_str + +diff --git a/tests/test_http.py b/tests/test_http.py +index 5936bfa..59cc179 100644 +--- a/tests/test_http.py ++++ b/tests/test_http.py +@@ -427,7 +427,8 @@ class TestHTTPUtility: + def test_parse_cookie(self): + cookies = http.parse_cookie( + "dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cdc762809248d4beed;" +- 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d' ++ 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;' ++ "==__Host-eq=bad;__Host-eq=good;" + ) + assert cookies.to_dict() == { + "CP": "null*", +@@ -438,6 +439,7 @@ class TestHTTPUtility: + "fo234{": "bar", + "blub": "Blah", + '"__Secure-c"': "d", ++ "__Host-eq": "good", + } + + def test_dump_cookie(self): +-- +2.40.0 + |