From 0945401f1fc97fe5b80d8dbe7a178194fd7a5905 Mon Sep 17 00:00:00 2001
From: lzq11122 <lzq02303433@alibaba-inc.com>
Date: Fri, 19 Dec 2025 15:17:29 +0800
Subject: [PATCH] Add patch to fix CVE-2025-67725

---
 0003-add-patch-to-fix-CVE-2025-67725.patch | 97 ++++++++++++++++++++++
 python-tornado.spec                        |  9 +-
 2 files changed, 104 insertions(+), 2 deletions(-)
 create mode 100644 0003-add-patch-to-fix-CVE-2025-67725.patch

diff --git a/0003-add-patch-to-fix-CVE-2025-67725.patch b/0003-add-patch-to-fix-CVE-2025-67725.patch
new file mode 100644
index 0000000..f4d4c19
--- /dev/null
+++ b/0003-add-patch-to-fix-CVE-2025-67725.patch
@@ -0,0 +1,97 @@
+From 771472cfdaeebc0d89a9cc46e249f8891a6b29cd Mon Sep 17 00:00:00 2001
+From: Ben Darnell <ben@bendarnell.com>
+Date: Wed, 10 Dec 2025 10:55:02 -0500
+Subject: [PATCH] httputil: Fix quadratic behavior in _parseparam
+
+Prior to this change, _parseparam had O(n^2) behavior when parsing
+certain inputs, which could be a DoS vector. This change adapts
+logic from the equivalent function in the python standard library
+in https://github.com/python/cpython/pull/136072/files
+---
+ tornado/httputil.py           | 29 ++++++++++++++++++++++-------
+ tornado/test/httputil_test.py | 23 +++++++++++++++++++++++
+ 2 files changed, 45 insertions(+), 7 deletions(-)
+
+diff --git a/tornado/httputil.py b/tornado/httputil.py
+index 090a977..570ca42 100644
+--- a/tornado/httputil.py
++++ b/tornado/httputil.py
+@@ -926,19 +926,33 @@ def parse_response_start_line(line: str) -> ResponseStartLine:
+ # It has also been modified to support valueless parameters as seen in
+ # websocket extension negotiations, and to support non-ascii values in
+ # RFC 2231/5987 format.
+-
++#
++# _parseparam has been further modified with the logic from
++# https://github.com/python/cpython/pull/136072/files
++# to avoid quadratic behavior when parsing semicolons in quoted strings.
++#
++# TODO: See if we can switch to email.message.Message for this functionality.
++# This is the suggested replacement for the cgi.py module now that cgi has
++# been removed from recent versions of Python.  We need to verify that
++# the email module is consistent with our existing behavior (and all relevant
++# RFCs for multipart/form-data) before making this change.
+ 
+ def _parseparam(s: str) -> Generator[str, None, None]:
+-    while s[:1] == ";":
+-        s = s[1:]
+-        end = s.find(";")
+-        while end > 0 and (s.count('"', 0, end) - s.count('\\"', 0, end)) % 2:
+-            end = s.find(";", end + 1)
++    start = 0
++    while s.find(";", start) == start:
++        start += 1
++        end = s.find(";", start)
++        ind, diff = start, 0
++        while end > 0:
++            diff += s.count('"', ind, end) - s.count('\\"', ind, end)
++            if diff % 2 == 0:
++                break
++            end, ind = ind, s.find(";", end + 1)
+         if end < 0:
+             end = len(s)
+-        f = s[:end]
++        f = s[start:end]
+         yield f.strip()
+-        s = s[end:]
++        start = end
+ 
+ 
+ def _parse_header(line: str) -> Tuple[str, Dict[str, str]]:
+diff --git a/tornado/test/httputil_test.py b/tornado/test/httputil_test.py
+index 9494d0c..7646fab 100644
+--- a/tornado/test/httputil_test.py
++++ b/tornado/test/httputil_test.py
+@@ -263,6 +263,29 @@ Foo
+         self.assertEqual(file["body"], b"Foo")
+ 
+ 
++    def test_disposition_param_linear_performance(self):
++        # This is a regression test for performance of parsing parameters
++        # to the content-disposition header, specifically for semicolons within
++        # quoted strings.
++        def f(n):
++            start = time.time()
++            message = (
++                b"--1234\r\nContent-Disposition: form-data; "
++                + b'x="'
++                + b";" * n
++                + b'"; '
++                + b'name="files"; filename="a.txt"\r\n\r\nFoo\r\n--1234--\r\n'
++            )
++            args: dict[str, list[bytes]] = {}
++            files: dict[str, list[HTTPFile]] = {}
++            parse_multipart_form_data(b"1234", message, args, files)
++            return time.time() - start
++
++        d1 = f(1_000)
++        d2 = f(10_000)
++        if d2 / d1 > 20:
++            self.fail(f"Disposition param parsing is not linear: {d1=} vs {d2=}")
++
+ class HTTPHeadersTest(unittest.TestCase):
+     def test_multi_line(self):
+         # Lines beginning with whitespace are appended to the previous line
+-- 
+2.43.5
+
diff --git a/python-tornado.spec b/python-tornado.spec
index c31def8..19155d5 100644
--- a/python-tornado.spec
+++ b/python-tornado.spec
@@ -1,4 +1,4 @@
-%define anolis_release 2
+%define anolis_release 3
 %global srcname tornado
 %global common_description %{expand:
 Tornado is an open source version of the scalable, non-blocking web
@@ -23,6 +23,8 @@ Source0:        https://github.com/tornadoweb/%{srcname}/archive/refs/tags/v%{ve
 # fixes FTBFS with Python 3.8
 Patch0001:      Do-not-turn-DeprecationWarning-into-Exception.patch
 Patch0002:      0002-Fix-CVE-2025-47287.patch
+# https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd
+Patch0003:      0003-add-patch-to-fix-CVE-2025-67725.patch
 
 BuildRequires:  gcc
 BuildRequires:  python3-devel
@@ -37,7 +39,7 @@ Summary:        %{summary}
 %package -n python3-%{srcname}-doc
 Summary:        Examples for %{name}
 Obsoletes:      python-tornado-doc < 6.4.2
-Buildarch:      noarch
+ExcludeArch:    riscv64
 
 %description -n python3-%{srcname}-doc %{common_description}
 
@@ -69,6 +71,9 @@ export TRAVIS=true
 %doc demos
 
 %changelog
+* Fri Dec 19 2025 lzq11122 <lzq02303433@alibaba-inc.com> - 6.4.2-3
+- Add patch to fix CVE-2025-67725
+
 * Mon May 26 2025 wh02252983 <wh02252983@alibaba-inc.com> - 6.4.2-2
 - Fix-CVE-2025-47287
 
-- 
Gitee