From b52b1c91e2c34f1eb477b87d5df61767b451fe0e Mon Sep 17 00:00:00 2001 From: changtao Date: Tue, 19 Nov 2024 21:27:57 +0800 Subject: [PATCH] fix CVE-2024-52304 (cherry picked from commit ca897e9e95c2bcefa0021623f9d919da577cb876) --- CVE-2024-52304.patch | 109 +++++++++++++++++++++++++++++++++++++++++++ python-aiohttp.spec | 7 ++- 2 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-52304.patch diff --git a/CVE-2024-52304.patch b/CVE-2024-52304.patch new file mode 100644 index 0000000..b0a3b2e --- /dev/null +++ b/CVE-2024-52304.patch @@ -0,0 +1,109 @@ +From 259edc369075de63e6f3a4eaade058c62af0df71 Mon Sep 17 00:00:00 2001 +From: "J. Nick Koston" +Date: Wed, 13 Nov 2024 08:50:36 -0600 +Subject: [PATCH] [PR #9851/541d86d backport][3.10] Fix incorrect parsing of + chunk extensions with the pure Python parser (#9853) +--- + CHANGES/9851.bugfix.rst | 1 + + aiohttp/http_parser.py | 7 ++++++ + tests/test_http_parser.py | 51 ++++++++++++++++++++++++++++++++++++++- + 3 files changed, 58 insertions(+), 1 deletion(-) + create mode 100644 CHANGES/9851.bugfix.rst + +diff --git a/CHANGES/9851.bugfix.rst b/CHANGES/9851.bugfix.rst +new file mode 100644 +index 0000000..02541a9 +--- /dev/null ++++ b/CHANGES/9851.bugfix.rst +@@ -0,0 +1 @@ ++Fixed incorrect parsing of chunk extensions with the pure Python parser -- by :user:`bdraco`. +diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py +index d7b8dac..deee4f5 100644 +--- a/aiohttp/http_parser.py ++++ b/aiohttp/http_parser.py +@@ -833,6 +833,13 @@ class HttpPayloadParser: + i = chunk.find(CHUNK_EXT, 0, pos) + if i >= 0: + size_b = chunk[:i] # strip chunk-extensions ++ # Verify no LF in the chunk-extension ++ if b"\n" in (ext := chunk[i:pos]): ++ exc = BadHttpMessage( ++ f"Unexpected LF in chunk-extension: {ext!r}" ++ ) ++ set_exception(self.payload, exc) ++ raise exc + else: + size_b = chunk[:pos] + +diff --git a/tests/test_http_parser.py b/tests/test_http_parser.py +index 0417fa4..d348bae 100644 +--- a/tests/test_http_parser.py ++++ b/tests/test_http_parser.py +@@ -13,6 +13,7 @@ from yarl import URL + + import aiohttp + from aiohttp import http_exceptions, streams ++from aiohttp.base_protocol import BaseProtocol + from aiohttp.http_parser import ( + NO_EXTENSIONS, + DeflateBuffer, +@@ -1337,7 +1338,55 @@ def test_parse_chunked_payload_empty_body_than_another_chunked( + assert b"second" == b"".join(d for d in payload._buffer) + + +-def test_partial_url(parser: Any) -> None: ++@pytest.mark.skipif(NO_EXTENSIONS, reason="Only tests C parser.") ++async def test_parse_chunked_payload_with_lf_in_extensions_c_parser( ++ loop: asyncio.AbstractEventLoop, protocol: BaseProtocol ++) -> None: ++ """Test the C-parser with a chunked payload that has a LF in the chunk extensions.""" ++ # The C parser will raise a BadHttpMessage from feed_data ++ parser = HttpRequestParserC( ++ protocol, ++ loop, ++ 2**16, ++ max_line_size=8190, ++ max_field_size=8190, ++ ) ++ payload = ( ++ b"GET / HTTP/1.1\r\nHost: localhost:5001\r\n" ++ b"Transfer-Encoding: chunked\r\n\r\n2;\nxx\r\n4c\r\n0\r\n\r\n" ++ b"GET /admin HTTP/1.1\r\nHost: localhost:5001\r\n" ++ b"Transfer-Encoding: chunked\r\n\r\n0\r\n\r\n" ++ ) ++ with pytest.raises(http_exceptions.BadHttpMessage, match="\\\\nxx"): ++ parser.feed_data(payload) ++ ++ ++async def test_parse_chunked_payload_with_lf_in_extensions_py_parser( ++ loop: asyncio.AbstractEventLoop, protocol: BaseProtocol ++) -> None: ++ """Test the py-parser with a chunked payload that has a LF in the chunk extensions.""" ++ # The py parser will not raise the BadHttpMessage directly, but instead ++ # it will set the exception on the StreamReader. ++ parser = HttpRequestParserPy( ++ protocol, ++ loop, ++ 2**16, ++ max_line_size=8190, ++ max_field_size=8190, ++ ) ++ payload = ( ++ b"GET / HTTP/1.1\r\nHost: localhost:5001\r\n" ++ b"Transfer-Encoding: chunked\r\n\r\n2;\nxx\r\n4c\r\n0\r\n\r\n" ++ b"GET /admin HTTP/1.1\r\nHost: localhost:5001\r\n" ++ b"Transfer-Encoding: chunked\r\n\r\n0\r\n\r\n" ++ ) ++ messages, _, _ = parser.feed_data(payload) ++ reader = messages[0][1] ++ assert isinstance(reader.exception(), http_exceptions.BadHttpMessage) ++ assert "\\nxx" in str(reader.exception()) ++ ++ ++def test_partial_url(parser: HttpRequestParser) -> None: + messages, upgrade, tail = parser.feed_data(b"GET /te") + assert len(messages) == 0 + messages, upgrade, tail = parser.feed_data(b"st HTTP/1.1\r\n\r\n") +-- +2.41.0 + diff --git a/python-aiohttp.spec b/python-aiohttp.spec index 145006b..22e8d67 100644 --- a/python-aiohttp.spec +++ b/python-aiohttp.spec @@ -1,7 +1,7 @@ %global _empty_manifest_terminate_build 0 Name: python-aiohttp Version: 3.9.3 -Release: 5 +Release: 6 Summary: Async http client/server framework (asyncio) License: Apache 2 URL: https://github.com/aio-libs/aiohttp @@ -17,6 +17,8 @@ Patch3: CVE-2024-30251-PR-8335-5a6949da-backport-3.9-Add-Content-Disposi # https://github.com/aio-libs/aiohttp/commit/9ba9a4e531599b9cb2f8cc80effbde40c7eab0bd Patch4: Fix-Python-parser-to-mark-responses-without-length-a.patch Patch5: CVE-2024-42367.patch +#https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71.patch +Patch6: CVE-2024-52304.patch Requires: python3-attrs Requires: python3-charset-normalizer @@ -92,6 +94,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Tue Nov 19 2024 changtao - 3.9.3-6 +- Fix CVE-2024-52304 + * Fri Oct 11 2024 yaoxin - 3.9.3-5 - Fix CVE-2024-42367 -- Gitee