-
Notifications
You must be signed in to change notification settings - Fork 546
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Patch CVE-2024-49767 in python-werkzeug (#10948)
Co-authored-by: Suresh Thelkar <[email protected]>
- Loading branch information
1 parent
4f0ad92
commit 7e21093
Showing
2 changed files
with
90 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| From f73af277c1be8adfe429eacef2132785557e448f Mon Sep 17 00:00:00 2001 | ||
| From: Suresh Thelkar <[email protected]> | ||
| Date: Tue, 5 Nov 2024 12:24:50 +0530 | ||
| Subject: [PATCH] Patch for CVE-2024-49767 | ||
|
|
||
| Upstream patch details are given below. | ||
| https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b#diff-ff3c479edefad986d2fe6fe7ead575a46b086e3bbcf0ccc86d85efc4a4c63c79 | ||
| --- | ||
| src/werkzeug/formparser.py | 11 +++++++++++ | ||
| src/werkzeug/sansio/multipart.py | 2 ++ | ||
| tests/test_formparser.py | 12 ++++++++++++ | ||
| 3 files changed, 25 insertions(+) | ||
|
|
||
| diff --git a/src/werkzeug/formparser.py b/src/werkzeug/formparser.py | ||
| index ba84721..d961bdb 100644 | ||
| --- a/src/werkzeug/formparser.py | ||
| +++ b/src/werkzeug/formparser.py | ||
| @@ -356,6 +356,7 @@ class MultiPartParser: | ||
| self, stream: t.IO[bytes], boundary: bytes, content_length: int | None | ||
| ) -> tuple[MultiDict[str, str], MultiDict[str, FileStorage]]: | ||
| current_part: Field | File | ||
| + field_size: int | None = None | ||
| container: t.IO[bytes] | list[bytes] | ||
| _write: t.Callable[[bytes], t.Any] | ||
|
|
||
| @@ -374,13 +375,23 @@ class MultiPartParser: | ||
| while not isinstance(event, (Epilogue, NeedData)): | ||
| if isinstance(event, Field): | ||
| current_part = event | ||
| + field_size = 0 | ||
| container = [] | ||
| _write = container.append | ||
| elif isinstance(event, File): | ||
| current_part = event | ||
| + field_size = None | ||
| container = self.start_file_streaming(event, content_length) | ||
| _write = container.write | ||
| elif isinstance(event, Data): | ||
| + if self.max_form_memory_size is not None and field_size is not None: | ||
| + # Ensure that accumulated data events do not exceed limit. | ||
| + # Also checked within single event in MultipartDecoder. | ||
| + field_size += len(event.data) | ||
| + | ||
| + if field_size > self.max_form_memory_size: | ||
| + raise RequestEntityTooLarge() | ||
| + | ||
| _write(event.data) | ||
| if not event.more_data: | ||
| if isinstance(current_part, Field): | ||
| diff --git a/src/werkzeug/sansio/multipart.py b/src/werkzeug/sansio/multipart.py | ||
| index fc87353..731be03 100644 | ||
| --- a/src/werkzeug/sansio/multipart.py | ||
| +++ b/src/werkzeug/sansio/multipart.py | ||
| @@ -140,6 +140,8 @@ class MultipartDecoder: | ||
| self.max_form_memory_size is not None | ||
| and len(self.buffer) + len(data) > self.max_form_memory_size | ||
| ): | ||
| + # Ensure that data within single event does not exceed limit. | ||
| + # Also checked across accumulated events in MultiPartParser. | ||
| raise RequestEntityTooLarge() | ||
| else: | ||
| self.buffer.extend(data) | ||
| diff --git a/tests/test_formparser.py b/tests/test_formparser.py | ||
| index 1ecb012..0fe152a 100644 | ||
| --- a/tests/test_formparser.py | ||
| +++ b/tests/test_formparser.py | ||
| @@ -448,3 +448,15 @@ class TestMultiPartParser: | ||
| ) as request: | ||
| assert request.files["rfc2231"].filename == "a b c d e f.txt" | ||
| assert request.files["rfc2231"].read() == b"file contents" | ||
| + | ||
| + | ||
| +def test_multipart_max_form_memory_size() -> None: | ||
| + """max_form_memory_size is tracked across multiple data events.""" | ||
| + data = b"--bound\r\nContent-Disposition: form-field; name=a\r\n\r\n" | ||
| + data += b"a" * 15 + b"\r\n--bound--" | ||
| + # The buffer size is less than the max size, so multiple data events will be | ||
| + # returned. The field size is greater than the max. | ||
| + parser = formparser.MultiPartParser(max_form_memory_size=10, buffer_size=5) | ||
| + | ||
| + with pytest.raises(RequestEntityTooLarge): | ||
| + parser.parse(io.BytesIO(data), b"bound", None) | ||
| -- | ||
| 2.34.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,7 @@ | |
| Summary: The Swiss Army knife of Python web development | ||
| Name: python-werkzeug | ||
| Version: 3.0.3 | ||
| Release: 1%{?dist} | ||
| Release: 2%{?dist} | ||
| License: BSD | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Azure Linux | ||
|
|
@@ -14,6 +14,7 @@ Source0: https://github.com/pallets/werkzeug/archive/%{version}.tar.gz#/w | |
| # Fixes PYTHONPATH handling in tests | ||
| # Upstream: https://github.com/pallets/werkzeug/pull/2172 | ||
| Patch0: preserve-any-existing-PYTHONPATH-in-tests.patch | ||
| Patch1: CVE-2024-49767.patch | ||
| BuildArch: noarch | ||
|
|
||
| %description | ||
|
|
@@ -78,6 +79,9 @@ pip3 install markupsafe | |
| %files -n python3-werkzeug-doc | ||
|
|
||
| %changelog | ||
| * Tue Nov 05 2024 Suresh Thelkar <[email protected]> - 3.0.3-2 | ||
| - Patch CVE-2024-49767 | ||
|
|
||
| * Thu May 30 2024 Neha Agarwal <[email protected]> - 3.0.3-1 | ||
| - Update to version 3.0.3 to fix CVE-2024-34069. | ||
|
|
||
|
|
||