-
Notifications
You must be signed in to change notification settings - Fork 546
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Patch CVE-2024-49767 in python-werkzeug (#10949)
Co-authored-by: Suresh Thelkar <[email protected]>
- Loading branch information
1 parent
6750465
commit 1f60550
Showing
2 changed files
with
90 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| From 65c8b89ca07543209451a646348bbadb3ca2a4d0 Mon Sep 17 00:00:00 2001 | ||
| From: David Lord <[email protected]> | ||
| Date: Fri, 25 Oct 2024 06:46:50 -0700 | ||
| Subject: [PATCH] apply max_form_memory_size another level up in the parser | ||
|
|
||
| Upstream patch details are given below. | ||
| https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b#diff-ff3c479edefad986d2fe6fe7ead575a46b086e3bbcf0ccc86d85efc4a4c63c79 | ||
| --- | ||
| src/werkzeug/formparser.py | 11 +++++++++++ | ||
| src/werkzeug/sansio/multipart.py | 2 ++ | ||
| tests/test_formparser.py | 12 ++++++++++++ | ||
| 3 files changed, 25 insertions(+) | ||
|
|
||
| diff --git a/src/werkzeug/formparser.py b/src/werkzeug/formparser.py | ||
| index 25ef0d6..a5838e4 100644 | ||
| --- a/src/werkzeug/formparser.py | ||
| +++ b/src/werkzeug/formparser.py | ||
| @@ -480,6 +480,7 @@ class MultiPartParser: | ||
| self, stream: t.IO[bytes], boundary: bytes, content_length: int | None | ||
| ) -> tuple[MultiDict, MultiDict]: | ||
| current_part: Field | File | ||
| + field_size: int | None = None | ||
| container: t.IO[bytes] | list[bytes] | ||
| _write: t.Callable[[bytes], t.Any] | ||
|
|
||
| @@ -498,13 +499,23 @@ class MultiPartParser: | ||
| while not isinstance(event, (Epilogue, NeedData)): | ||
| if isinstance(event, Field): | ||
| current_part = event | ||
| + field_size = 0 | ||
| container = [] | ||
| _write = container.append | ||
| elif isinstance(event, File): | ||
| current_part = event | ||
| + field_size = None | ||
| container = self.start_file_streaming(event, content_length) | ||
| _write = container.write | ||
| elif isinstance(event, Data): | ||
| + if self.max_form_memory_size is not None and field_size is not None: | ||
| + # Ensure that accumulated data events do not exceed limit. | ||
| + # Also checked within single event in MultipartDecoder. | ||
| + field_size += len(event.data) | ||
| + | ||
| + if field_size > self.max_form_memory_size: | ||
| + raise RequestEntityTooLarge() | ||
| + | ||
| _write(event.data) | ||
| if not event.more_data: | ||
| if isinstance(current_part, Field): | ||
| diff --git a/src/werkzeug/sansio/multipart.py b/src/werkzeug/sansio/multipart.py | ||
| index fc87353..731be03 100644 | ||
| --- a/src/werkzeug/sansio/multipart.py | ||
| +++ b/src/werkzeug/sansio/multipart.py | ||
| @@ -140,6 +140,8 @@ class MultipartDecoder: | ||
| self.max_form_memory_size is not None | ||
| and len(self.buffer) + len(data) > self.max_form_memory_size | ||
| ): | ||
| + # Ensure that data within single event does not exceed limit. | ||
| + # Also checked across accumulated events in MultiPartParser. | ||
| raise RequestEntityTooLarge() | ||
| else: | ||
| self.buffer.extend(data) | ||
| diff --git a/tests/test_formparser.py b/tests/test_formparser.py | ||
| index 1dcb167..d8e18e0 100644 | ||
| --- a/tests/test_formparser.py | ||
| +++ b/tests/test_formparser.py | ||
| @@ -448,3 +448,15 @@ class TestMultiPartParser: | ||
| ) as request: | ||
| assert request.files["rfc2231"].filename == "a b c d e f.txt" | ||
| assert request.files["rfc2231"].read() == b"file contents" | ||
| + | ||
| + | ||
| +def test_multipart_max_form_memory_size() -> None: | ||
| + """max_form_memory_size is tracked across multiple data events.""" | ||
| + data = b"--bound\r\nContent-Disposition: form-field; name=a\r\n\r\n" | ||
| + data += b"a" * 15 + b"\r\n--bound--" | ||
| + # The buffer size is less than the max size, so multiple data events will be | ||
| + # returned. The field size is greater than the max. | ||
| + parser = formparser.MultiPartParser(max_form_memory_size=10, buffer_size=5) | ||
| + | ||
| + with pytest.raises(RequestEntityTooLarge): | ||
| + parser.parse(io.BytesIO(data), b"bound", None) | ||
| -- | ||
| 2.34.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| Summary: The Swiss Army knife of Python web development | ||
| Name: python-werkzeug | ||
| Version: 2.3.7 | ||
| Release: 2%{?dist} | ||
| Release: 3%{?dist} | ||
| License: BSD | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Mariner | ||
|
|
@@ -19,6 +19,7 @@ Patch0: 0001-enable-tests-in-rpm-env.patch | |
| Patch1: 0002-disable-stat-test.patch | ||
| Patch2: CVE-2023-46136.patch | ||
| Patch3: CVE-2024-34069.patch | ||
| Patch4: CVE-2024-49767.patch | ||
| BuildArch: noarch | ||
|
|
||
| %description | ||
|
|
@@ -71,6 +72,9 @@ pip3 install -r requirements/tests.txt | |
| %license LICENSE.rst | ||
|
|
||
| %changelog | ||
| * Tue Nov 05 2024 Suresh Thelkar <[email protected]> - 2.3.7-3 | ||
| - Patch CVE-2024-49767 | ||
|
|
||
| * Tue May 14 2024 Jonathan Behrens <[email protected]> - 2.3.7-2 | ||
| - Patch CVE-2024-34069 | ||
|
|
||
|
|
||