diff --git a/CVE-2023-49081.patch b/CVE-2023-49081.patch new file mode 100644 index 0000000000000000000000000000000000000000..5294e21a98539d37c7d81d31ae4be0e2bb4bd5b0 --- /dev/null +++ b/CVE-2023-49081.patch @@ -0,0 +1,91 @@ +From 53476dfd4ef4fb1bb74a267714bbc39eda71b403 Mon Sep 17 00:00:00 2001 +From: Sam Bull +Date: Mon, 13 Nov 2023 22:36:04 +0000 +Subject: [PATCH] Disallow arbitrary sequence types in version (#7835) (#7836) + +Origin: https://github.com/aio-libs/aiohttp/commit/53476dfd4ef4fb1bb74a267714bbc39eda71b403 + +(cherry picked from commit 1e86b777e61cf4eefc7d92fa57fa19dcc676013b) +--- + CHANGES/7835.bugfix | 1 + + aiohttp/client_reqrep.py | 4 ++-- + tests/test_client_request.py | 20 +++++++++++++++++--- + 3 files changed, 20 insertions(+), 5 deletions(-) + create mode 100644 CHANGES/7835.bugfix + +diff --git a/CHANGES/7835.bugfix b/CHANGES/7835.bugfix +new file mode 100644 +index 0000000000..4ce3af4f6f +--- /dev/null ++++ b/CHANGES/7835.bugfix +@@ -0,0 +1 @@ ++Fixed arbitrary sequence types being allowed to inject headers via version parameter -- by :user:`Dreamsorcerer` +diff --git a/aiohttp/client_reqrep.py b/aiohttp/client_reqrep.py +index 851ab220b8..4cea7466d8 100644 +--- a/aiohttp/client_reqrep.py ++++ b/aiohttp/client_reqrep.py +@@ -706,8 +706,8 @@ async def send(self, conn: "Connection") -> "ClientResponse": + self.headers[hdrs.CONNECTION] = connection + + # status + headers +- status_line = "{0} {1} HTTP/{2[0]}.{2[1]}".format( +- self.method, path, self.version ++ status_line = "{0} {1} HTTP/{v.major}.{v.minor}".format( ++ self.method, path, v=self.version + ) + await writer.write_headers(status_line, self.headers) + +diff --git a/tests/test_client_request.py b/tests/test_client_request.py +index 0f58d752de..c8ce98d403 100644 +--- a/tests/test_client_request.py ++++ b/tests/test_client_request.py +@@ -21,6 +21,7 @@ + Fingerprint, + _merge_ssl_params, + ) ++from aiohttp.http import HttpVersion + from aiohttp.test_utils import make_mocked_coro + + +@@ -623,18 +624,18 @@ async def test_connection_header(loop, conn) -> None: + req.headers.clear() + + req.keep_alive.return_value = True +- req.version = (1, 1) ++ req.version = HttpVersion(1, 1) + req.headers.clear() + await req.send(conn) + assert req.headers.get("CONNECTION") is None + +- req.version = (1, 0) ++ req.version = HttpVersion(1, 0) + req.headers.clear() + await req.send(conn) + assert req.headers.get("CONNECTION") == "keep-alive" + + req.keep_alive.return_value = False +- req.version = (1, 1) ++ req.version = HttpVersion(1, 1) + req.headers.clear() + await req.send(conn) + assert req.headers.get("CONNECTION") == "close" +@@ -1161,6 +1162,19 @@ async def gen(): + resp.close() + + ++async def test_bad_version(loop, conn) -> None: ++ req = ClientRequest( ++ "GET", ++ URL("http://python.org"), ++ loop=loop, ++ headers={"Connection": "Close"}, ++ version=("1", "1\r\nInjected-Header: not allowed"), ++ ) ++ ++ with pytest.raises(AttributeError): ++ await req.send(conn) ++ ++ + async def test_custom_response_class(loop, conn) -> None: + class CustomResponse(ClientResponse): + def read(self, decode=False): diff --git a/python-aiohttp.spec b/python-aiohttp.spec index e4a8d0dbf8e43e5e94b449145b4ef248b954cd6f..6d260984884062756a0d6f2a94ab0aa5f68ce65c 100644 --- a/python-aiohttp.spec +++ b/python-aiohttp.spec @@ -1,13 +1,14 @@ %global _empty_manifest_terminate_build 0 Name: python-aiohttp Version: 3.7.4 -Release: 3 +Release: 4 Summary: Async http client/server framework (asyncio) License: Apache 2 URL: https://github.com/aio-libs/aiohttp Source0: https://files.pythonhosted.org/packages/99/f5/90ede947a3ce2d6de1614799f5fea4e93c19b6520a59dc5d2f64123b032f/aiohttp-3.7.4.post0.tar.gz Patch0: change-require-chardet-package-version.patch Patch1: CVE-2023-47641.patch +Patch2: CVE-2023-49081.patch BuildRequires: python3-attrs BuildRequires: python3-chardet @@ -78,6 +79,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Fri Dec 01 2023 wangkai <13474090681@163.com> - 3.7.4-4 +- Fix CVE-2023-49081 + * Thu Nov 16 2023 yaoxin - 3.7.4-3 - Fix CVE-2023-47641