!38 Fix Python parser to mark responses without length as closing

From: @xiao-zai-kylinos Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2024-05-14 09:59:38 +00:00 · 2024-05-14 09:59:38 +00:00 · ca7b8ee617
commit ca7b8ee617
parent af02d6afc0 905568411f
2 changed files with 63 additions and 1 deletions
--- a/Fix-Python-parser-to-mark-responses-without-length-a.patch
+++ b/Fix-Python-parser-to-mark-responses-without-length-a.patch
@ -0,0 +1,57 @@
 From 3223e1209285d96cfe5ac92c68653c5690e6e721 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?=E8=82=96=E5=9C=A8?= <xiaozai@kylinos.cn>
 Date: Mon, 6 May 2024 20:30:09 +0800
 Subject: [PATCH] Fix Python parser to mark responses without length as closing
 ---
 CHANGES/8320.bugfix.rst   |  1 +
 aiohttp/http_parser.py    | 11 ++++++++++-
 tests/test_http_parser.py |  2 +-
 3 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 CHANGES/8320.bugfix.rst
 diff --git a/CHANGES/8320.bugfix.rst b/CHANGES/8320.bugfix.rst
 new file mode 100644
 index 0000000..3823e24
 --- /dev/null
 +++ b/CHANGES/8320.bugfix.rst
@@ -0,0 +1 @@
 +Fixed the pure python parser to mark a connection as closing when a response has no length -- by :user:`Dreamsorcerer`
 diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py
 index 1877f55..d7b8dac 100644
 --- a/aiohttp/http_parser.py
 +++ b/aiohttp/http_parser.py
@@ -703,7 +703,16 @@ class HttpResponseParser(HttpParser[RawResponseMessage]):
         ) = self.parse_headers(lines)
         if close is None:
 -            close = version_o <= HttpVersion10
 +            if version_o <= HttpVersion10:
 +                close = True
 +            # https://www.rfc-editor.org/rfc/rfc9112.html#name-message-body-length
 +            elif 100 <= status_i < 200 or status_i in {204, 304}:
 +                close = False
 +            elif hdrs.CONTENT_LENGTH in headers or hdrs.TRANSFER_ENCODING in headers:
 +                close = False
 +            else:
 +                # https://www.rfc-editor.org/rfc/rfc9112.html#section-6.3-2.8
 +                close = True
         return RawResponseMessage(
             version_o,
 diff --git a/tests/test_http_parser.py b/tests/test_http_parser.py
 index b931730..0417fa4 100644
 --- a/tests/test_http_parser.py
 +++ b/tests/test_http_parser.py
@@ -743,7 +743,7 @@ def test_http_request_parser(parser) -> None:
     assert msg.version == (1, 1)
     assert msg.headers == CIMultiDict()
     assert msg.raw_headers == ()
 -    assert not msg.should_close
 +    assert msg.should_close
     assert msg.compression is None
     assert not msg.upgrade
     assert not msg.chunked
 -- 
 2.33.0
--- a/python-aiohttp.spec
+++ b/python-aiohttp.spec
@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:           python-aiohttp
 Version:        3.9.3
-Release:        3
+Release:        4
 Summary:        Async http client/server framework (asyncio)
 License:        Apache 2
 URL:            https://github.com/aio-libs/aiohttp
@ -14,6 +14,8 @@ Patch1:         CVE-2024-30251.patch
 Patch2:         CVE-2024-30251-PR-8332-482e6cdf-backport-3.9-Add-set_content_dispos.patch
 # https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866
 Patch3:         CVE-2024-30251-PR-8335-5a6949da-backport-3.9-Add-Content-Dispositio.patch
 # https://github.com/aio-libs/aiohttp/commit/9ba9a4e531599b9cb2f8cc80effbde40c7eab0bd
 Patch4:         Fix-Python-parser-to-mark-responses-without-length-a.patch 
 Requires:       python3-attrs
 Requires:       python3-charset-normalizer
@ -89,6 +91,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 %changelog
 * Mon May 06 2024 xiaozai <xiaozai@kylinos.cn> - 3.9.3-4
 - Fix Python parser to mark responses without length as closing
 * Mon May 06 2024 yaoxin <yao_xin001@hoperun.com> - 3.9.3-3
 - Fix CVE-2024-30251