diff --git a/0002-Fix-CVE-2025-47287.patch b/0002-Fix-CVE-2025-47287.patch deleted file mode 100644 index 7c0676a796519f8958d13aec3cac9557d6937245..0000000000000000000000000000000000000000 --- a/0002-Fix-CVE-2025-47287.patch +++ /dev/null @@ -1,214 +0,0 @@ -diff --git a/tornado/httputil.py b/tornado/httputil.py -index ebdc805..090a977 100644 ---- a/tornado/httputil.py -+++ b/tornado/httputil.py -@@ -34,7 +34,6 @@ import unicodedata - from urllib.parse import urlencode, urlparse, urlunparse, parse_qsl - - from tornado.escape import native_str, parse_qs_bytes, utf8 --from tornado.log import gen_log - from tornado.util import ObjectDict, unicode_type - - -@@ -762,25 +761,22 @@ def parse_body_arguments( - """ - if content_type.startswith("application/x-www-form-urlencoded"): - if headers and "Content-Encoding" in headers: -- gen_log.warning( -- "Unsupported Content-Encoding: %s", headers["Content-Encoding"] -+ raise HTTPInputError( -+ "Unsupported Content-Encoding: %s" % headers["Content-Encoding"] - ) -- return - try: - # real charset decoding will happen in RequestHandler.decode_argument() - uri_arguments = parse_qs_bytes(body, keep_blank_values=True) - except Exception as e: -- gen_log.warning("Invalid x-www-form-urlencoded body: %s", e) -- uri_arguments = {} -+ raise HTTPInputError("Invalid x-www-form-urlencoded body: %s" % e) from e - for name, values in uri_arguments.items(): - if values: - arguments.setdefault(name, []).extend(values) - elif content_type.startswith("multipart/form-data"): - if headers and "Content-Encoding" in headers: -- gen_log.warning( -- "Unsupported Content-Encoding: %s", headers["Content-Encoding"] -+ raise HTTPInputError( -+ "Unsupported Content-Encoding: %s" % headers["Content-Encoding"] - ) -- return - try: - fields = content_type.split(";") - for field in fields: -@@ -789,9 +785,9 @@ def parse_body_arguments( - parse_multipart_form_data(utf8(v), body, arguments, files) - break - else: -- raise ValueError("multipart boundary not found") -+ raise HTTPInputError("multipart boundary not found") - except Exception as e: -- gen_log.warning("Invalid multipart/form-data: %s", e) -+ raise HTTPInputError("Invalid multipart/form-data: %s" % e) from e - - - def parse_multipart_form_data( -@@ -820,26 +816,22 @@ def parse_multipart_form_data( - boundary = boundary[1:-1] - final_boundary_index = data.rfind(b"--" + boundary + b"--") - if final_boundary_index == -1: -- gen_log.warning("Invalid multipart/form-data: no final boundary") -- return -+ raise HTTPInputError("Invalid multipart/form-data: no final boundary found") - parts = data[:final_boundary_index].split(b"--" + boundary + b"\r\n") - for part in parts: - if not part: - continue - eoh = part.find(b"\r\n\r\n") - if eoh == -1: -- gen_log.warning("multipart/form-data missing headers") -- continue -+ raise HTTPInputError("multipart/form-data missing headers") - headers = HTTPHeaders.parse(part[:eoh].decode("utf-8")) - disp_header = headers.get("Content-Disposition", "") - disposition, disp_params = _parse_header(disp_header) - if disposition != "form-data" or not part.endswith(b"\r\n"): -- gen_log.warning("Invalid multipart/form-data") -- continue -+ raise HTTPInputError("Invalid multipart/form-data") - value = part[eoh + 4 : -2] - if not disp_params.get("name"): -- gen_log.warning("multipart/form-data value missing name") -- continue -+ raise HTTPInputError("multipart/form-data missing name") - name = disp_params["name"] - if disp_params.get("filename"): - ctype = headers.get("Content-Type", "application/unknown") -diff --git a/tornado/test/httpserver_test.py b/tornado/test/httpserver_test.py -index 0b29a39..5d5fb13 100644 ---- a/tornado/test/httpserver_test.py -+++ b/tornado/test/httpserver_test.py -@@ -1131,9 +1131,9 @@ class GzipUnsupportedTest(GzipBaseTest, AsyncHTTPTestCase): - # Gzip support is opt-in; without it the server fails to parse - # the body (but parsing form bodies is currently just a log message, - # not a fatal error). -- with ExpectLog(gen_log, "Unsupported Content-Encoding"): -+ with ExpectLog(gen_log, ".*Unsupported Content-Encoding"): - response = self.post_gzip("foo=bar") -- self.assertEqual(json_decode(response.body), {}) -+ self.assertEqual(response.code, 400) - - - class StreamingChunkSizeTest(AsyncHTTPTestCase): -diff --git a/tornado/test/httputil_test.py b/tornado/test/httputil_test.py -index 975900a..9494d0c 100644 ---- a/tornado/test/httputil_test.py -+++ b/tornado/test/httputil_test.py -@@ -12,7 +12,6 @@ from tornado.httputil import ( - ) - from tornado.escape import utf8, native_str - from tornado.log import gen_log --from tornado.testing import ExpectLog - from tornado.test.util import ignore_deprecation - - import copy -@@ -195,7 +194,9 @@ Foo - b"\n", b"\r\n" - ) - args, files = form_data_args() -- with ExpectLog(gen_log, "multipart/form-data missing headers"): -+ with self.assertRaises( -+ HTTPInputError, msg="multipart/form-data missing headers" -+ ): - parse_multipart_form_data(b"1234", data, args, files) - self.assertEqual(files, {}) - -@@ -209,7 +210,7 @@ Foo - b"\n", b"\r\n" - ) - args, files = form_data_args() -- with ExpectLog(gen_log, "Invalid multipart/form-data"): -+ with self.assertRaises(HTTPInputError, msg="Invalid multipart/form-data"): - parse_multipart_form_data(b"1234", data, args, files) - self.assertEqual(files, {}) - -@@ -222,7 +223,7 @@ Foo--1234--""".replace( - b"\n", b"\r\n" - ) - args, files = form_data_args() -- with ExpectLog(gen_log, "Invalid multipart/form-data"): -+ with self.assertRaises(HTTPInputError, msg="Invalid multipart/form-data"): - parse_multipart_form_data(b"1234", data, args, files) - self.assertEqual(files, {}) - -@@ -236,7 +237,9 @@ Foo - b"\n", b"\r\n" - ) - args, files = form_data_args() -- with ExpectLog(gen_log, "multipart/form-data value missing name"): -+ with self.assertRaises( -+ HTTPInputError, msg="multipart/form-data value missing name" -+ ): - parse_multipart_form_data(b"1234", data, args, files) - self.assertEqual(files, {}) - -diff --git a/tornado/web.py b/tornado/web.py -index 0393964..8ec5601 100644 ---- a/tornado/web.py -+++ b/tornado/web.py -@@ -1751,6 +1751,14 @@ class RequestHandler(object): - try: - if self.request.method not in self.SUPPORTED_METHODS: - raise HTTPError(405) -+ -+ # If we're not in stream_request_body mode, this is the place where we parse the body. -+ if not _has_stream_request_body(self.__class__): -+ try: -+ self.request._parse_body() -+ except httputil.HTTPInputError as e: -+ raise HTTPError(400, "Invalid body: %s" % e) from e -+ - self.path_args = [self.decode_argument(arg) for arg in args] - self.path_kwargs = dict( - (k, self.decode_argument(v, name=k)) for (k, v) in kwargs.items() -@@ -1941,7 +1949,7 @@ def _has_stream_request_body(cls: Type[RequestHandler]) -> bool: - - - def removeslash( -- method: Callable[..., Optional[Awaitable[None]]] -+ method: Callable[..., Optional[Awaitable[None]]], - ) -> Callable[..., Optional[Awaitable[None]]]: - """Use this decorator to remove trailing slashes from the request path. - -@@ -1970,7 +1978,7 @@ def removeslash( - - - def addslash( -- method: Callable[..., Optional[Awaitable[None]]] -+ method: Callable[..., Optional[Awaitable[None]]], - ) -> Callable[..., Optional[Awaitable[None]]]: - """Use this decorator to add a missing trailing slash to the request path. - -@@ -2394,8 +2402,9 @@ class _HandlerDelegate(httputil.HTTPMessageDelegate): - if self.stream_request_body: - future_set_result_unless_cancelled(self.request._body_future, None) - else: -+ # Note that the body gets parsed in RequestHandler._execute so it can be in -+ # the right exception handler scope. - self.request.body = b"".join(self.chunks) -- self.request._parse_body() - self.execute() - - def on_connection_close(self) -> None: -@@ -3267,7 +3276,7 @@ class GZipContentEncoding(OutputTransform): - - - def authenticated( -- method: Callable[..., Optional[Awaitable[None]]] -+ method: Callable[..., Optional[Awaitable[None]]], - ) -> Callable[..., Optional[Awaitable[None]]]: - """Decorate methods with this to require that the user be logged in. - --- -2.41.0 - diff --git a/0002-add-patch-to-fix-CVE-2025-67724.patch b/0002-add-patch-to-fix-CVE-2025-67724.patch new file mode 100644 index 0000000000000000000000000000000000000000..b55edba517544c28933ea1ada27dde266137b7bb --- /dev/null +++ b/0002-add-patch-to-fix-CVE-2025-67724.patch @@ -0,0 +1,117 @@ +From 9c163aebeaad9e6e7d28bac1f33580eb00b0e421 Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Wed, 10 Dec 2025 15:15:25 -0500 +Subject: [PATCH] web: Harden against invalid HTTP reason phrases + +We allow applications to set custom reason phrases for the HTTP status +line (to support custom status codes), but if this were exposed to +untrusted data it could be exploited in various ways. This commit +guards against invalid reason phrases in both HTTP headers and in +error pages. +--- + tornado/test/web_test.py | 15 ++++++++++++++- + tornado/web.py | 25 +++++++++++++++++++------ + 2 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py +index a514e2a..5af8409 100644 +--- a/tornado/test/web_test.py ++++ b/tornado/test/web_test.py +@@ -1746,7 +1746,7 @@ class StatusReasonTest(SimpleHandlerTestCase): + class Handler(RequestHandler): + def get(self): + reason = self.request.arguments.get("reason", []) +- self.set_status( ++ raise HTTPError( + int(self.get_argument("code")), + reason=to_unicode(reason[0]) if reason else None, + ) +@@ -1770,6 +1770,20 @@ class StatusReasonTest(SimpleHandlerTestCase): + self.assertEqual(response.reason, "Unknown") + + ++ def test_header_injection(self): ++ response = self.fetch("/?code=200&reason=OK%0D%0AX-Injection:injected") ++ self.assertEqual(response.code, 200) ++ self.assertEqual(response.reason, "Unknown") ++ self.assertNotIn("X-Injection", response.headers) ++ ++ def test_reason_xss(self): ++ response = self.fetch("/?code=400&reason=") ++ self.assertEqual(response.code, 400) ++ self.assertEqual(response.reason, "Unknown") ++ self.assertNotIn(b"script", response.body) ++ self.assertIn(b"Unknown", response.body) ++ ++ + class DateHeaderTest(SimpleHandlerTestCase): + class Handler(RequestHandler): + def get(self): +diff --git a/tornado/web.py b/tornado/web.py +index 2f702d6..2351afd 100644 +--- a/tornado/web.py ++++ b/tornado/web.py +@@ -359,8 +359,10 @@ class RequestHandler: + + :arg int status_code: Response status code. + :arg str reason: Human-readable reason phrase describing the status +- code. If ``None``, it will be filled in from +- `http.client.responses` or "Unknown". ++ code (for example, the "Not Found" in ``HTTP/1.1 404 Not Found``). ++ Normally determined automatically from `http.client.responses`; this ++ argument should only be used if you need to use a non-standard ++ status code. + + .. versionchanged:: 5.0 + +@@ -369,6 +371,14 @@ class RequestHandler: + """ + self._status_code = status_code + if reason is not None: ++ if "<" in reason or not httputil._ABNF.reason_phrase.fullmatch(reason): ++ # Logically this would be better as an exception, but this method ++ # is called on error-handling paths that would need some refactoring ++ # to tolerate internal errors cleanly. ++ # ++ # The check for "<" is a defense-in-depth against XSS attacks (we also ++ # escape the reason when rendering error pages). ++ reason = "Unknown" + self._reason = escape.native_str(reason) + else: + self._reason = httputil.responses.get(status_code, "Unknown") +@@ -1345,7 +1355,8 @@ class RequestHandler: + reason = exception.reason + self.set_status(status_code, reason=reason) + try: +- self.write_error(status_code, **kwargs) ++ if status_code != 304: ++ self.write_error(status_code, **kwargs) + except Exception: + app_log.error("Uncaught exception in write_error", exc_info=True) + if not self._finished: +@@ -1373,7 +1384,7 @@ class RequestHandler: + self.finish( + "%(code)d: %(message)s" + "%(code)d: %(message)s" +- % {"code": status_code, "message": self._reason} ++ % {"code": status_code, "message": escape.xhtml_escape(self._reason)} + ) + + @property +@@ -2520,9 +2531,11 @@ class HTTPError(Exception): + mode). May contain ``%s``-style placeholders, which will be filled + in with remaining positional parameters. + :arg str reason: Keyword-only argument. The HTTP "reason" phrase +- to pass in the status line along with ``status_code``. Normally ++ to pass in the status line along with ``status_code`` (for example, ++ the "Not Found" in ``HTTP/1.1 404 Not Found``). Normally + determined automatically from ``status_code``, but can be used +- to use a non-standard numeric code. ++ to use a non-standard numeric code. This is not a general-purpose ++ error message. + """ + + def __init__( +-- +2.43.5 + diff --git a/python-tornado.spec b/python-tornado.spec index 1cf7485459819f53e7a3886052f0c7a080011815..b1af4a4c39fb16778a9d1b48b9efaed6e65d483b 100644 --- a/python-tornado.spec +++ b/python-tornado.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 1 %global srcname tornado %global common_description %{expand: Tornado is an open source version of the scalable, non-blocking web @@ -11,7 +11,7 @@ handle thousands of simultaneous standing connections, which means it is ideal for real-time web services.} Name: python-%{srcname} -Version: 6.4.2 +Version: 6.5.2 Release: %{anolis_release}%{?dist} Summary: Scalable, non-blocking web server and tools @@ -22,7 +22,8 @@ Source0: https://github.com/tornadoweb/%{srcname}/archive/refs/tags/v%{ve # Do not turn DeprecationWarning in tornado module into Exception # fixes FTBFS with Python 3.8 Patch0001: Do-not-turn-DeprecationWarning-into-Exception.patch -Patch0002: 0002-Fix-CVE-2025-47287.patch +# https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421 +Patch0002: 0002-add-patch-to-fix-CVE-2025-67724.patch # https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd Patch0003: 0003-add-patch-to-fix-CVE-2025-67725-and-CVE-2025-67726.patch @@ -38,7 +39,7 @@ Summary: %{summary} %package -n python3-%{srcname}-doc Summary: Examples for %{name} -Obsoletes: python-tornado-doc < 6.4.2 +Obsoletes: python-tornado-doc < 6.5.2 ExcludeArch: riscv64 %description -n python3-%{srcname}-doc %{common_description} @@ -71,6 +72,10 @@ export TRAVIS=true %doc demos %changelog +* Tue Dec 23 2025 lzq11122 - 6.5.2-1 +- Update to 6.5.2 and fix CVE-2025-67724 +- Remove patch for upgraded versions are not affected + * Fri Dec 19 2025 lzq11122 - 6.4.2-3 - Add patch to fix CVE-2025-67725 and CVE-2025-67726 diff --git a/v6.4.2.tar.gz b/v6.4.2.tar.gz deleted file mode 100644 index 96377c864bfdd7b4146e4aeaaca866f2dff6b58b..0000000000000000000000000000000000000000 Binary files a/v6.4.2.tar.gz and /dev/null differ diff --git a/v6.5.2.tar.gz b/v6.5.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..f9eb01f574a1e109b52a41177be9dde167fece05 Binary files /dev/null and b/v6.5.2.tar.gz differ