fix CVE-2024-52304

(cherry picked from commit ca897e9e95c2bcefa0021623f9d919da577cb876)
2024-11-19 21:27:57 +08:00 · 2024-11-19 21:27:57 +08:00 · b52b1c91e2
commit b52b1c91e2
parent 0225ebb3ae
2 changed files with 115 additions and 1 deletions
--- a/CVE-2024-52304.patch
+++ b/CVE-2024-52304.patch
@ -0,0 +1,109 @@
 From 259edc369075de63e6f3a4eaade058c62af0df71 Mon Sep 17 00:00:00 2001
 From: "J. Nick Koston" <nick@koston.org>
 Date: Wed, 13 Nov 2024 08:50:36 -0600
 Subject: [PATCH] [PR #9851/541d86d backport][3.10] Fix incorrect parsing of
 chunk extensions with the pure Python parser (#9853)
 ---
 CHANGES/9851.bugfix.rst   |  1 +
 aiohttp/http_parser.py    |  7 ++++++
 tests/test_http_parser.py | 51 ++++++++++++++++++++++++++++++++++++++-
 3 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 CHANGES/9851.bugfix.rst
 diff --git a/CHANGES/9851.bugfix.rst b/CHANGES/9851.bugfix.rst
 new file mode 100644
 index 0000000..02541a9
 --- /dev/null
 +++ b/CHANGES/9851.bugfix.rst
@@ -0,0 +1 @@
 +Fixed incorrect parsing of chunk extensions with the pure Python parser -- by :user:`bdraco`.
 diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py
 index d7b8dac..deee4f5 100644
 --- a/aiohttp/http_parser.py
 +++ b/aiohttp/http_parser.py
@@ -833,6 +833,13 @@ class HttpPayloadParser:
                         i = chunk.find(CHUNK_EXT, 0, pos)
                         if i >= 0:
                             size_b = chunk[:i]  # strip chunk-extensions
 +                            # Verify no LF in the chunk-extension
 +                            if b"\n" in (ext := chunk[i:pos]):
 +                                exc = BadHttpMessage(
 +                                    f"Unexpected LF in chunk-extension: {ext!r}"
 +                                    )
 +                                set_exception(self.payload, exc)
 +                                raise exc
                         else:
                             size_b = chunk[:pos]
 diff --git a/tests/test_http_parser.py b/tests/test_http_parser.py
 index 0417fa4..d348bae 100644
 --- a/tests/test_http_parser.py
 +++ b/tests/test_http_parser.py
@@ -13,6 +13,7 @@ from yarl import URL
 import aiohttp
 from aiohttp import http_exceptions, streams
 +from aiohttp.base_protocol import BaseProtocol
 from aiohttp.http_parser import (
     NO_EXTENSIONS,
     DeflateBuffer,
@@ -1337,7 +1338,55 @@ def test_parse_chunked_payload_empty_body_than_another_chunked(
     assert b"second" == b"".join(d for d in payload._buffer)
 -def test_partial_url(parser: Any) -> None:
 +@pytest.mark.skipif(NO_EXTENSIONS, reason="Only tests C parser.")
 +async def test_parse_chunked_payload_with_lf_in_extensions_c_parser(
 +    loop: asyncio.AbstractEventLoop, protocol: BaseProtocol
 +) -> None:
 +    """Test the C-parser with a chunked payload that has a LF in the chunk extensions."""
 +    # The C parser will raise a BadHttpMessage from feed_data
 +    parser = HttpRequestParserC(
 +        protocol,
 +        loop,
 +        2**16,
 +        max_line_size=8190,
 +        max_field_size=8190,
 +    )
 +    payload = (
 +        b"GET / HTTP/1.1\r\nHost: localhost:5001\r\n"
 +        b"Transfer-Encoding: chunked\r\n\r\n2;\nxx\r\n4c\r\n0\r\n\r\n"
 +        b"GET /admin HTTP/1.1\r\nHost: localhost:5001\r\n"
 +        b"Transfer-Encoding: chunked\r\n\r\n0\r\n\r\n"
 +    )
 +    with pytest.raises(http_exceptions.BadHttpMessage, match="\\\\nxx"):
 +        parser.feed_data(payload)
 +
 +
 +async def test_parse_chunked_payload_with_lf_in_extensions_py_parser(
 +    loop: asyncio.AbstractEventLoop, protocol: BaseProtocol
 +) -> None:
 +    """Test the py-parser with a chunked payload that has a LF in the chunk extensions."""
 +    # The py parser will not raise the BadHttpMessage directly, but instead
 +    # it will set the exception on the StreamReader.
 +    parser = HttpRequestParserPy(
 +        protocol,
 +        loop,
 +        2**16,
 +        max_line_size=8190,
 +        max_field_size=8190,
 +    )
 +    payload = (
 +        b"GET / HTTP/1.1\r\nHost: localhost:5001\r\n"
 +        b"Transfer-Encoding: chunked\r\n\r\n2;\nxx\r\n4c\r\n0\r\n\r\n"
 +        b"GET /admin HTTP/1.1\r\nHost: localhost:5001\r\n"
 +        b"Transfer-Encoding: chunked\r\n\r\n0\r\n\r\n"
 +    )
 +    messages, _, _ = parser.feed_data(payload)
 +    reader = messages[0][1]
 +    assert isinstance(reader.exception(), http_exceptions.BadHttpMessage)
 +    assert "\\nxx" in str(reader.exception())
 +
 +
 +def test_partial_url(parser: HttpRequestParser) -> None:
     messages, upgrade, tail = parser.feed_data(b"GET /te")
     assert len(messages) == 0
     messages, upgrade, tail = parser.feed_data(b"st HTTP/1.1\r\n\r\n")
 -- 
 2.41.0
--- a/python-aiohttp.spec
+++ b/python-aiohttp.spec
@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:           python-aiohttp
 Version:        3.9.3
-Release:        5
+Release:        6
 Summary:        Async http client/server framework (asyncio)
 License:        Apache 2
 URL:            https://github.com/aio-libs/aiohttp
@ -17,6 +17,8 @@ Patch3:         CVE-2024-30251-PR-8335-5a6949da-backport-3.9-Add-Content-Disposi
 # https://github.com/aio-libs/aiohttp/commit/9ba9a4e531599b9cb2f8cc80effbde40c7eab0bd
 Patch4:         Fix-Python-parser-to-mark-responses-without-length-a.patch 
 Patch5:         CVE-2024-42367.patch
 #https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71.patch
 Patch6:         CVE-2024-52304.patch
 Requires:       python3-attrs
 Requires:       python3-charset-normalizer
@ -92,6 +94,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 %changelog
 * Tue Nov 19 2024 changtao <changtao@kylinos.cn> - 3.9.3-6
 - Fix CVE-2024-52304
 * Fri Oct 11 2024 yaoxin <yao_xin001@hoperun.com> - 3.9.3-5
 - Fix CVE-2024-42367