diff --git a/CVE-2024-27306.patch b/CVE-2024-27306.patch deleted file mode 100644 index 6449b2c25ef202b64ea73840d47a8792e0984173..0000000000000000000000000000000000000000 --- a/CVE-2024-27306.patch +++ /dev/null @@ -1,242 +0,0 @@ -From 28335525d1eac015a7e7584137678cbb6ff19397 Mon Sep 17 00:00:00 2001 -From: Sam Bull -Date: Thu, 11 Apr 2024 15:54:45 +0100 -Subject: [PATCH] Escape filenames and paths in HTML when generating index - pages (#8317) (#8319) - -Co-authored-by: J. Nick Koston -(cherry picked from commit ffbc43233209df302863712b511a11bdb6001b0f) ---- - CHANGES/8317.bugfix.rst | 1 + - aiohttp/web_urldispatcher.py | 12 ++-- - tests/test_web_urldispatcher.py | 124 ++++++++++++++++++++++++++++---- - 3 files changed, 118 insertions(+), 19 deletions(-) - create mode 100644 CHANGES/8317.bugfix.rst - -diff --git a/CHANGES/8317.bugfix.rst b/CHANGES/8317.bugfix.rst -new file mode 100644 -index 0000000000..b24ef2aeb8 ---- /dev/null -+++ b/CHANGES/8317.bugfix.rst -@@ -0,0 +1 @@ -+Escaped filenames in static view -- by :user:`bdraco`. -diff --git a/aiohttp/web_urldispatcher.py b/aiohttp/web_urldispatcher.py -index 9969653344..954291f644 100644 ---- a/aiohttp/web_urldispatcher.py -+++ b/aiohttp/web_urldispatcher.py -@@ -1,7 +1,9 @@ - import abc - import asyncio - import base64 -+import functools - import hashlib -+import html - import inspect - import keyword - import os -@@ -90,6 +92,8 @@ - _ExpectHandler = Callable[[Request], Awaitable[Optional[StreamResponse]]] - _Resolve = Tuple[Optional["UrlMappingMatchInfo"], Set[str]] - -+html_escape = functools.partial(html.escape, quote=True) -+ - - class _InfoDict(TypedDict, total=False): - path: str -@@ -708,7 +712,7 @@ def _directory_as_html(self, filepath: Path) -> str: - assert filepath.is_dir() - - relative_path_to_dir = filepath.relative_to(self._directory).as_posix() -- index_of = f"Index of /{relative_path_to_dir}" -+ index_of = f"Index of /{html_escape(relative_path_to_dir)}" - h1 = f"

{index_of}

" - - index_list = [] -@@ -716,7 +720,7 @@ def _directory_as_html(self, filepath: Path) -> str: - for _file in sorted(dir_index): - # show file url as relative to static path - rel_path = _file.relative_to(self._directory).as_posix() -- file_url = self._prefix + "/" + rel_path -+ quoted_file_url = _quote_path(f"{self._prefix}/{rel_path}") - - # if file is a directory, add '/' to the end of the name - if _file.is_dir(): -@@ -725,9 +729,7 @@ def _directory_as_html(self, filepath: Path) -> str: - file_name = _file.name - - index_list.append( -- '
  • {name}
    • '.format( -- url=file_url, name=file_name -- ) -+ f'
  • {html_escape(file_name)}
    • ' - ) - ul = "".format("\n".join(index_list)) - body = f"\n{h1}\n{ul}\n" -diff --git a/tests/test_web_urldispatcher.py b/tests/test_web_urldispatcher.py -index 76e533e473..0441890c10 100644 ---- a/tests/test_web_urldispatcher.py -+++ b/tests/test_web_urldispatcher.py -@@ -1,6 +1,7 @@ - import asyncio - import functools - import pathlib -+import sys - from typing import Optional - from unittest import mock - from unittest.mock import MagicMock -@@ -14,31 +15,38 @@ - - - @pytest.mark.parametrize( -- "show_index,status,prefix,data", -+ "show_index,status,prefix,request_path,data", - [ -- pytest.param(False, 403, "/", None, id="index_forbidden"), -+ pytest.param(False, 403, "/", "/", None, id="index_forbidden"), - pytest.param( - True, - 200, - "/", -- b"\n\nIndex of /.\n" -- b"\n\n

    Index of /.

    \n\n\n", -- id="index_root", -+ "/", -+ b"\n\nIndex of /.\n\n\n

    Index of" -+ b' /.

    \n\n\n", - ), - pytest.param( - True, - 200, - "/static", -- b"\n\nIndex of /.\n" -- b"\n\n

    Index of /.

    \n\n\n", -+ "/static", -+ b"\n\nIndex of /.\n\n\n

    Index of" -+ b' /.

    \n\n\n', - id="index_static", - ), -+ pytest.param( -+ True, -+ 200, -+ "/static", -+ "/static/my_dir", -+ b"\n\nIndex of /my_dir\n\n\n

    " -+ b'Index of /my_dir

    \n\n\n", -+ id="index_subdir", -+ ), - ], - ) - async def test_access_root_of_static_handler( -@@ -47,6 +55,7 @@ async def test_access_root_of_static_handler( - show_index: bool, - status: int, - prefix: str, -+ request_path: str, - data: Optional[bytes], - ) -> None: - # Tests the operation of static file server. -@@ -72,7 +81,94 @@ async def test_access_root_of_static_handler( - client = await aiohttp_client(app) - - # Request the root of the static directory. -- async with await client.get(prefix) as r: -+ async with await client.get(request_path) as r: -+ assert r.status == status -+ -+ if data: -+ assert r.headers["Content-Type"] == "text/html; charset=utf-8" -+ read_ = await r.read() -+ assert read_ == data -+ -+ -+@pytest.mark.internal # Dependent on filesystem -+@pytest.mark.skipif( -+ not sys.platform.startswith("linux"), -+ reason="Invalid filenames on some filesystems (like Windows)", -+) -+@pytest.mark.parametrize( -+ "show_index,status,prefix,request_path,data", -+ [ -+ pytest.param(False, 403, "/", "/", None, id="index_forbidden"), -+ pytest.param( -+ True, -+ 200, -+ "/", -+ "/", -+ b"\n\nIndex of /.\n\n\n

    Index of" -+ b' /.

    \n\n\n", -+ ), -+ pytest.param( -+ True, -+ 200, -+ "/static", -+ "/static", -+ b"\n\nIndex of /.\n\n\n

    Index of" -+ b' /.

    \n\n\n", -+ id="index_static", -+ ), -+ pytest.param( -+ True, -+ 200, -+ "/static", -+ "/static/.dir", -+ b"\n\nIndex of /<img src=0 onerror=alert(1)>.dir</t" -+ b"itle>\n</head>\n<body>\n<h1>Index of /<img src=0 onerror=alert(1)>.di" -+ b'r</h1>\n<ul>\n<li><a href="/static/%3Cimg%20src=0%20onerror=alert(1)%3E.di' -+ b'r/my_file_in_dir">my_file_in_dir</a></li>\n</ul>\n</body>\n</html>', -+ id="index_subdir", -+ ), -+ ], -+) -+async def test_access_root_of_static_handler_xss( -+ tmp_path: pathlib.Path, -+ aiohttp_client: AiohttpClient, -+ show_index: bool, -+ status: int, -+ prefix: str, -+ request_path: str, -+ data: Optional[bytes], -+) -> None: -+ # Tests the operation of static file server. -+ # Try to access the root of static file server, and make -+ # sure that correct HTTP statuses are returned depending if we directory -+ # index should be shown or not. -+ # Ensure that html in file names is escaped. -+ # Ensure that links are url quoted. -+ my_file = tmp_path / "<img src=0 onerror=alert(1)>.txt" -+ my_dir = tmp_path / "<img src=0 onerror=alert(1)>.dir" -+ my_dir.mkdir() -+ my_file_in_dir = my_dir / "my_file_in_dir" -+ -+ with my_file.open("w") as fw: -+ fw.write("hello") -+ -+ with my_file_in_dir.open("w") as fw: -+ fw.write("world") -+ -+ app = web.Application() -+ -+ # Register global static route: -+ app.router.add_static(prefix, str(tmp_path), show_index=show_index) -+ client = await aiohttp_client(app) -+ -+ # Request the root of the static directory. -+ async with await client.get(request_path) as r: - assert r.status == status - - if data: diff --git a/CVE-2024-30251-PR-8332-482e6cdf-backport-3.9-Add-set_content_dispos.patch b/CVE-2024-30251-PR-8332-482e6cdf-backport-3.9-Add-set_content_dispos.patch deleted file mode 100644 index 2dcce4d4a0988fd9a7c5a859efcc9dea352bb32e..0000000000000000000000000000000000000000 --- a/CVE-2024-30251-PR-8332-482e6cdf-backport-3.9-Add-set_content_dispos.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 7eecdff163ccf029fbb1ddc9de4169d4aaeb6597 Mon Sep 17 00:00:00 2001 -From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com> -Date: Mon, 15 Apr 2024 20:47:19 +0100 -Subject: [PATCH] [PR #8332/482e6cdf backport][3.9] Add set_content_disposition - test (#8333) - -**This is a backport of PR #8332 as merged into master -(482e6cdf6516607360666a48c5828d3dbe959fbd).** - -Co-authored-by: Oleg A <t0rr@mail.ru> ---- - CHANGES/8332.bugfix.rst | 1 + - aiohttp/multipart.py | 7 +++++-- - tests/test_multipart.py | 7 +++++++ - 3 files changed, 13 insertions(+), 2 deletions(-) - create mode 100644 CHANGES/8332.bugfix.rst - -diff --git a/CHANGES/8332.bugfix.rst b/CHANGES/8332.bugfix.rst -new file mode 100644 -index 0000000000..70cad26b42 ---- /dev/null -+++ b/CHANGES/8332.bugfix.rst -@@ -0,0 +1 @@ -+Fixed regression with adding Content-Disposition to form-data part after appending to writer -- by :user:`Dreamsorcerer`/:user:`Olegt0rr`. -diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py -index a43ec54571..fcdf16183c 100644 ---- a/aiohttp/multipart.py -+++ b/aiohttp/multipart.py -@@ -848,8 +848,6 @@ def append_payload(self, payload: Payload) -> Payload: - if self._is_form_data: - # https://datatracker.ietf.org/doc/html/rfc7578#section-4.7 - # https://datatracker.ietf.org/doc/html/rfc7578#section-4.8 -- assert CONTENT_DISPOSITION in payload.headers -- assert "name=" in payload.headers[CONTENT_DISPOSITION] - assert ( - not {CONTENT_ENCODING, CONTENT_LENGTH, CONTENT_TRANSFER_ENCODING} - & payload.headers.keys() -@@ -930,6 +928,11 @@ def size(self) -> Optional[int]: - async def write(self, writer: Any, close_boundary: bool = True) -> None: - """Write body.""" - for part, encoding, te_encoding in self._parts: -+ if self._is_form_data: -+ # https://datatracker.ietf.org/doc/html/rfc7578#section-4.2 -+ assert CONTENT_DISPOSITION in part.headers -+ assert "name=" in part.headers[CONTENT_DISPOSITION] -+ - await writer.write(b"--" + self._boundary + b"\r\n") - await writer.write(part._binary_headers) - -diff --git a/tests/test_multipart.py b/tests/test_multipart.py -index dbfaf74b9b..37ac54797f 100644 ---- a/tests/test_multipart.py -+++ b/tests/test_multipart.py -@@ -1282,6 +1282,13 @@ def test_append_multipart(self, writer) -> None: - part = writer._parts[0][0] - assert part.headers[CONTENT_TYPE] == "test/passed" - -+ async def test_set_content_disposition_after_append(self): -+ writer = aiohttp.MultipartWriter("form-data") -+ payload = writer.append("some-data") -+ payload.set_content_disposition("form-data", name="method") -+ assert CONTENT_DISPOSITION in payload.headers -+ assert "name=" in payload.headers[CONTENT_DISPOSITION] -+ - def test_with(self) -> None: - with aiohttp.MultipartWriter(boundary=":") as writer: - writer.append("foo") diff --git a/CVE-2024-30251-PR-8335-5a6949da-backport-3.9-Add-Content-Dispositio.patch b/CVE-2024-30251-PR-8335-5a6949da-backport-3.9-Add-Content-Dispositio.patch deleted file mode 100644 index f302e2a0b146aee9fc93a276874aeda793669fe6..0000000000000000000000000000000000000000 --- a/CVE-2024-30251-PR-8335-5a6949da-backport-3.9-Add-Content-Dispositio.patch +++ /dev/null @@ -1,73 +0,0 @@ -From f21c6f2ca512a026ce7f0f6c6311f62d6a638866 Mon Sep 17 00:00:00 2001 -From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com> -Date: Mon, 15 Apr 2024 21:54:12 +0100 -Subject: [PATCH] [PR #8335/5a6949da backport][3.9] Add Content-Disposition - automatically (#8336) - -**This is a backport of PR #8335 as merged into master -(5a6949da642d1db6cf414fd0d1f70e54c7b7be14).** - -Co-authored-by: Sam Bull <git@sambull.org> ---- - CHANGES/8335.bugfix.rst | 1 + - aiohttp/multipart.py | 4 ++++ - tests/test_multipart.py | 22 +++++++++++++++++----- - 3 files changed, 22 insertions(+), 5 deletions(-) - create mode 100644 CHANGES/8335.bugfix.rst - -diff --git a/CHANGES/8335.bugfix.rst b/CHANGES/8335.bugfix.rst -new file mode 100644 -index 0000000000..cd93b864a5 ---- /dev/null -+++ b/CHANGES/8335.bugfix.rst -@@ -0,0 +1 @@ -+Added default Content-Disposition in multipart/form-data responses -- by :user:`Dreamsorcerer`. -diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py -index fcdf16183c..71fc2654a1 100644 ---- a/aiohttp/multipart.py -+++ b/aiohttp/multipart.py -@@ -852,6 +852,10 @@ def append_payload(self, payload: Payload) -> Payload: - not {CONTENT_ENCODING, CONTENT_LENGTH, CONTENT_TRANSFER_ENCODING} - & payload.headers.keys() - ) -+ # Set default Content-Disposition in case user doesn't create one -+ if CONTENT_DISPOSITION not in payload.headers: -+ name = f"section-{len(self._parts)}" -+ payload.set_content_disposition("form-data", name=name) - else: - # compression - encoding = payload.headers.get(CONTENT_ENCODING, "").lower() -diff --git a/tests/test_multipart.py b/tests/test_multipart.py -index 37ac54797f..436b70957f 100644 ---- a/tests/test_multipart.py -+++ b/tests/test_multipart.py -@@ -1282,12 +1282,24 @@ def test_append_multipart(self, writer) -> None: - part = writer._parts[0][0] - assert part.headers[CONTENT_TYPE] == "test/passed" - -- async def test_set_content_disposition_after_append(self): -+ def test_set_content_disposition_after_append(self): - writer = aiohttp.MultipartWriter("form-data") -- payload = writer.append("some-data") -- payload.set_content_disposition("form-data", name="method") -- assert CONTENT_DISPOSITION in payload.headers -- assert "name=" in payload.headers[CONTENT_DISPOSITION] -+ part = writer.append("some-data") -+ part.set_content_disposition("form-data", name="method") -+ assert 'name="method"' in part.headers[CONTENT_DISPOSITION] -+ -+ def test_automatic_content_disposition(self): -+ writer = aiohttp.MultipartWriter("form-data") -+ writer.append_json(()) -+ part = payload.StringPayload("foo") -+ part.set_content_disposition("form-data", name="second") -+ writer.append_payload(part) -+ writer.append("foo") -+ -+ disps = tuple(p[0].headers[CONTENT_DISPOSITION] for p in writer._parts) -+ assert 'name="section-0"' in disps[0] -+ assert 'name="second"' in disps[1] -+ assert 'name="section-2"' in disps[2] - - def test_with(self) -> None: - with aiohttp.MultipartWriter(boundary=":") as writer: diff --git a/CVE-2024-30251.patch b/CVE-2024-30251.patch deleted file mode 100644 index 828022dbfe4e5cfd67881d83f5f2e16def8c27fd..0000000000000000000000000000000000000000 --- a/CVE-2024-30251.patch +++ /dev/null @@ -1,511 +0,0 @@ -From cebe526b9c34dc3a3da9140409db63014bc4cf19 Mon Sep 17 00:00:00 2001 -From: Sam Bull <git@sambull.org> -Date: Sun, 7 Apr 2024 13:19:31 +0100 -Subject: [PATCH] Fix handling of multipart/form-data (#8280) (#8302) - -https://datatracker.ietf.org/doc/html/rfc7578 -(cherry picked from commit 7d0be3fee540a3d4161ac7dc76422f1f5ea60104) ---- - CHANGES/8280.bugfix.rst | 1 + - CHANGES/8280.deprecation.rst | 2 + - aiohttp/formdata.py | 12 +++- - aiohttp/multipart.py | 121 +++++++++++++++++++++----------- - tests/test_client_functional.py | 44 +----------- - tests/test_multipart.py | 68 ++++++++++++++---- - tests/test_web_functional.py | 27 ++----- - 7 files changed, 155 insertions(+), 120 deletions(-) - create mode 100644 CHANGES/8280.bugfix.rst - create mode 100644 CHANGES/8280.deprecation.rst - -diff --git a/CHANGES/8280.bugfix.rst b/CHANGES/8280.bugfix.rst -new file mode 100644 -index 00000000000..3aebe36fe9e ---- /dev/null -+++ b/CHANGES/8280.bugfix.rst -@@ -0,0 +1 @@ -+Fixed ``multipart/form-data`` compliance with :rfc:`7578` -- by :user:`Dreamsorcerer`. -diff --git a/CHANGES/8280.deprecation.rst b/CHANGES/8280.deprecation.rst -new file mode 100644 -index 00000000000..302dbb2fe2a ---- /dev/null -+++ b/CHANGES/8280.deprecation.rst -@@ -0,0 +1,2 @@ -+Deprecated ``content_transfer_encoding`` parameter in :py:meth:`FormData.add_field() -+<aiohttp.FormData.add_field>` -- by :user:`Dreamsorcerer`. -diff --git a/aiohttp/formdata.py b/aiohttp/formdata.py -index e7cd24ca9f7..2b75b3de72c 100644 ---- a/aiohttp/formdata.py -+++ b/aiohttp/formdata.py -@@ -1,4 +1,5 @@ - import io -+import warnings - from typing import Any, Iterable, List, Optional - from urllib.parse import urlencode - -@@ -53,7 +54,12 @@ def add_field( - if isinstance(value, io.IOBase): - self._is_multipart = True - elif isinstance(value, (bytes, bytearray, memoryview)): -+ msg = ( -+ "In v4, passing bytes will no longer create a file field. " -+ "Please explicitly use the filename parameter or pass a BytesIO object." -+ ) - if filename is None and content_transfer_encoding is None: -+ warnings.warn(msg, DeprecationWarning) - filename = name - - type_options: MultiDict[str] = MultiDict({"name": name}) -@@ -81,7 +87,11 @@ def add_field( - "content_transfer_encoding must be an instance" - " of str. Got: %s" % content_transfer_encoding - ) -- headers[hdrs.CONTENT_TRANSFER_ENCODING] = content_transfer_encoding -+ msg = ( -+ "content_transfer_encoding is deprecated. " -+ "To maintain compatibility with v4 please pass a BytesPayload." -+ ) -+ warnings.warn(msg, DeprecationWarning) - self._is_multipart = True - - self._fields.append((type_options, headers, value)) -diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py -index 4471dd4bb7e..a43ec545713 100644 ---- a/aiohttp/multipart.py -+++ b/aiohttp/multipart.py -@@ -256,13 +256,22 @@ class BodyPartReader: - chunk_size = 8192 - - def __init__( -- self, boundary: bytes, headers: "CIMultiDictProxy[str]", content: StreamReader -+ self, -+ boundary: bytes, -+ headers: "CIMultiDictProxy[str]", -+ content: StreamReader, -+ *, -+ subtype: str = "mixed", -+ default_charset: Optional[str] = None, - ) -> None: - self.headers = headers - self._boundary = boundary - self._content = content -+ self._default_charset = default_charset - self._at_eof = False -- length = self.headers.get(CONTENT_LENGTH, None) -+ self._is_form_data = subtype == "form-data" -+ # https://datatracker.ietf.org/doc/html/rfc7578#section-4.8 -+ length = None if self._is_form_data else self.headers.get(CONTENT_LENGTH, None) - self._length = int(length) if length is not None else None - self._read_bytes = 0 - self._unread: Deque[bytes] = deque() -@@ -329,6 +338,8 @@ async def _read_chunk_from_length(self, size: int) -> bytes: - assert self._length is not None, "Content-Length required for chunked read" - chunk_size = min(size, self._length - self._read_bytes) - chunk = await self._content.read(chunk_size) -+ if self._content.at_eof(): -+ self._at_eof = True - return chunk - - async def _read_chunk_from_stream(self, size: int) -> bytes: -@@ -449,7 +460,8 @@ def decode(self, data: bytes) -> bytes: - """ - if CONTENT_TRANSFER_ENCODING in self.headers: - data = self._decode_content_transfer(data) -- if CONTENT_ENCODING in self.headers: -+ # https://datatracker.ietf.org/doc/html/rfc7578#section-4.8 -+ if not self._is_form_data and CONTENT_ENCODING in self.headers: - return self._decode_content(data) - return data - -@@ -483,7 +495,7 @@ def get_charset(self, default: str) -> str: - """Returns charset parameter from Content-Type header or default.""" - ctype = self.headers.get(CONTENT_TYPE, "") - mimetype = parse_mimetype(ctype) -- return mimetype.parameters.get("charset", default) -+ return mimetype.parameters.get("charset", self._default_charset or default) - - @reify - def name(self) -> Optional[str]: -@@ -538,9 +550,17 @@ class MultipartReader: - part_reader_cls = BodyPartReader - - def __init__(self, headers: Mapping[str, str], content: StreamReader) -> None: -+ self._mimetype = parse_mimetype(headers[CONTENT_TYPE]) -+ assert self._mimetype.type == "multipart", "multipart/* content type expected" -+ if "boundary" not in self._mimetype.parameters: -+ raise ValueError( -+ "boundary missed for Content-Type: %s" % headers[CONTENT_TYPE] -+ ) -+ - self.headers = headers - self._boundary = ("--" + self._get_boundary()).encode() - self._content = content -+ self._default_charset: Optional[str] = None - self._last_part: Optional[Union["MultipartReader", BodyPartReader]] = None - self._at_eof = False - self._at_bof = True -@@ -592,7 +612,24 @@ async def next( - await self._read_boundary() - if self._at_eof: # we just read the last boundary, nothing to do there - return None -- self._last_part = await self.fetch_next_part() -+ -+ part = await self.fetch_next_part() -+ # https://datatracker.ietf.org/doc/html/rfc7578#section-4.6 -+ if ( -+ self._last_part is None -+ and self._mimetype.subtype == "form-data" -+ and isinstance(part, BodyPartReader) -+ ): -+ _, params = parse_content_disposition(part.headers.get(CONTENT_DISPOSITION)) -+ if params.get("name") == "_charset_": -+ # Longest encoding in https://encoding.spec.whatwg.org/encodings.json -+ # is 19 characters, so 32 should be more than enough for any valid encoding. -+ charset = await part.read_chunk(32) -+ if len(charset) > 31: -+ raise RuntimeError("Invalid default charset") -+ self._default_charset = charset.strip().decode() -+ part = await self.fetch_next_part() -+ self._last_part = part - return self._last_part - - async def release(self) -> None: -@@ -628,19 +665,16 @@ def _get_part_reader( - return type(self)(headers, self._content) - return self.multipart_reader_cls(headers, self._content) - else: -- return self.part_reader_cls(self._boundary, headers, self._content) -- -- def _get_boundary(self) -> str: -- mimetype = parse_mimetype(self.headers[CONTENT_TYPE]) -- -- assert mimetype.type == "multipart", "multipart/* content type expected" -- -- if "boundary" not in mimetype.parameters: -- raise ValueError( -- "boundary missed for Content-Type: %s" % self.headers[CONTENT_TYPE] -+ return self.part_reader_cls( -+ self._boundary, -+ headers, -+ self._content, -+ subtype=self._mimetype.subtype, -+ default_charset=self._default_charset, - ) - -- boundary = mimetype.parameters["boundary"] -+ def _get_boundary(self) -> str: -+ boundary = self._mimetype.parameters["boundary"] - if len(boundary) > 70: - raise ValueError("boundary %r is too long (70 chars max)" % boundary) - -@@ -731,6 +765,7 @@ def __init__(self, subtype: str = "mixed", boundary: Optional[str] = None) -> No - super().__init__(None, content_type=ctype) - - self._parts: List[_Part] = [] -+ self._is_form_data = subtype == "form-data" - - def __enter__(self) -> "MultipartWriter": - return self -@@ -808,32 +843,36 @@ def append(self, obj: Any, headers: Optional[Mapping[str, str]] = None) -> Paylo - - def append_payload(self, payload: Payload) -> Payload: - """Adds a new body part to multipart writer.""" -- # compression -- encoding: Optional[str] = payload.headers.get( -- CONTENT_ENCODING, -- "", -- ).lower() -- if encoding and encoding not in ("deflate", "gzip", "identity"): -- raise RuntimeError(f"unknown content encoding: {encoding}") -- if encoding == "identity": -- encoding = None -- -- # te encoding -- te_encoding: Optional[str] = payload.headers.get( -- CONTENT_TRANSFER_ENCODING, -- "", -- ).lower() -- if te_encoding not in ("", "base64", "quoted-printable", "binary"): -- raise RuntimeError( -- "unknown content transfer encoding: {}" "".format(te_encoding) -+ encoding: Optional[str] = None -+ te_encoding: Optional[str] = None -+ if self._is_form_data: -+ # https://datatracker.ietf.org/doc/html/rfc7578#section-4.7 -+ # https://datatracker.ietf.org/doc/html/rfc7578#section-4.8 -+ assert CONTENT_DISPOSITION in payload.headers -+ assert "name=" in payload.headers[CONTENT_DISPOSITION] -+ assert ( -+ not {CONTENT_ENCODING, CONTENT_LENGTH, CONTENT_TRANSFER_ENCODING} -+ & payload.headers.keys() - ) -- if te_encoding == "binary": -- te_encoding = None -- -- # size -- size = payload.size -- if size is not None and not (encoding or te_encoding): -- payload.headers[CONTENT_LENGTH] = str(size) -+ else: -+ # compression -+ encoding = payload.headers.get(CONTENT_ENCODING, "").lower() -+ if encoding and encoding not in ("deflate", "gzip", "identity"): -+ raise RuntimeError(f"unknown content encoding: {encoding}") -+ if encoding == "identity": -+ encoding = None -+ -+ # te encoding -+ te_encoding = payload.headers.get(CONTENT_TRANSFER_ENCODING, "").lower() -+ if te_encoding not in ("", "base64", "quoted-printable", "binary"): -+ raise RuntimeError(f"unknown content transfer encoding: {te_encoding}") -+ if te_encoding == "binary": -+ te_encoding = None -+ -+ # size -+ size = payload.size -+ if size is not None and not (encoding or te_encoding): -+ payload.headers[CONTENT_LENGTH] = str(size) - - self._parts.append((payload, encoding, te_encoding)) # type: ignore[arg-type] - return payload -diff --git a/tests/test_client_functional.py b/tests/test_client_functional.py -index 8a9a4e184be..dbb2dff5ac4 100644 ---- a/tests/test_client_functional.py -+++ b/tests/test_client_functional.py -@@ -1317,48 +1317,6 @@ async def handler(request): - resp.close() - - --async def test_POST_DATA_with_context_transfer_encoding(aiohttp_client) -> None: -- async def handler(request): -- data = await request.post() -- assert data["name"] == "text" -- return web.Response(text=data["name"]) -- -- app = web.Application() -- app.router.add_post("/", handler) -- client = await aiohttp_client(app) -- -- form = aiohttp.FormData() -- form.add_field("name", "text", content_transfer_encoding="base64") -- -- resp = await client.post("/", data=form) -- assert 200 == resp.status -- content = await resp.text() -- assert content == "text" -- resp.close() -- -- --async def test_POST_DATA_with_content_type_context_transfer_encoding(aiohttp_client): -- async def handler(request): -- data = await request.post() -- assert data["name"] == "text" -- return web.Response(body=data["name"]) -- -- app = web.Application() -- app.router.add_post("/", handler) -- client = await aiohttp_client(app) -- -- form = aiohttp.FormData() -- form.add_field( -- "name", "text", content_type="text/plain", content_transfer_encoding="base64" -- ) -- -- resp = await client.post("/", data=form) -- assert 200 == resp.status -- content = await resp.text() -- assert content == "text" -- resp.close() -- -- - async def test_POST_MultiDict(aiohttp_client) -> None: - async def handler(request): - data = await request.post() -@@ -1410,7 +1368,7 @@ async def handler(request): - - with fname.open("rb") as f: - async with client.post( -- "/", data={"some": f, "test": b"data"}, chunked=True -+ "/", data={"some": f, "test": io.BytesIO(b"data")}, chunked=True - ) as resp: - assert 200 == resp.status - -diff --git a/tests/test_multipart.py b/tests/test_multipart.py -index f9d130e7949..dbfaf74b9b7 100644 ---- a/tests/test_multipart.py -+++ b/tests/test_multipart.py -@@ -944,6 +944,58 @@ async def test_reading_skips_prelude(self) -> None: - assert first.at_eof() - assert not second.at_eof() - -+ async def test_read_form_default_encoding(self) -> None: -+ with Stream( -+ b"--:\r\n" -+ b'Content-Disposition: form-data; name="_charset_"\r\n\r\n' -+ b"ascii" -+ b"\r\n" -+ b"--:\r\n" -+ b'Content-Disposition: form-data; name="field1"\r\n\r\n' -+ b"foo" -+ b"\r\n" -+ b"--:\r\n" -+ b"Content-Type: text/plain;charset=UTF-8\r\n" -+ b'Content-Disposition: form-data; name="field2"\r\n\r\n' -+ b"foo" -+ b"\r\n" -+ b"--:\r\n" -+ b'Content-Disposition: form-data; name="field3"\r\n\r\n' -+ b"foo" -+ b"\r\n" -+ ) as stream: -+ reader = aiohttp.MultipartReader( -+ {CONTENT_TYPE: 'multipart/form-data;boundary=":"'}, -+ stream, -+ ) -+ field1 = await reader.next() -+ assert field1.name == "field1" -+ assert field1.get_charset("default") == "ascii" -+ field2 = await reader.next() -+ assert field2.name == "field2" -+ assert field2.get_charset("default") == "UTF-8" -+ field3 = await reader.next() -+ assert field3.name == "field3" -+ assert field3.get_charset("default") == "ascii" -+ -+ async def test_read_form_invalid_default_encoding(self) -> None: -+ with Stream( -+ b"--:\r\n" -+ b'Content-Disposition: form-data; name="_charset_"\r\n\r\n' -+ b"this-value-is-too-long-to-be-a-charset" -+ b"\r\n" -+ b"--:\r\n" -+ b'Content-Disposition: form-data; name="field1"\r\n\r\n' -+ b"foo" -+ b"\r\n" -+ ) as stream: -+ reader = aiohttp.MultipartReader( -+ {CONTENT_TYPE: 'multipart/form-data;boundary=":"'}, -+ stream, -+ ) -+ with pytest.raises(RuntimeError, match="Invalid default charset"): -+ await reader.next() -+ - - async def test_writer(writer) -> None: - assert writer.size == 7 -@@ -1280,7 +1332,6 @@ async def test_preserve_content_disposition_header(self, buf, stream): - CONTENT_TYPE: "text/python", - }, - ) -- content_length = part.size - await writer.write(stream) - - assert part.headers[CONTENT_TYPE] == "text/python" -@@ -1291,9 +1342,7 @@ async def test_preserve_content_disposition_header(self, buf, stream): - assert headers == ( - b"--:\r\n" - b"Content-Type: text/python\r\n" -- b'Content-Disposition: attachments; filename="bug.py"\r\n' -- b"Content-Length: %s" -- b"" % (str(content_length).encode(),) -+ b'Content-Disposition: attachments; filename="bug.py"' - ) - - async def test_set_content_disposition_override(self, buf, stream): -@@ -1307,7 +1356,6 @@ async def test_set_content_disposition_override(self, buf, stream): - CONTENT_TYPE: "text/python", - }, - ) -- content_length = part.size - await writer.write(stream) - - assert part.headers[CONTENT_TYPE] == "text/python" -@@ -1318,9 +1366,7 @@ async def test_set_content_disposition_override(self, buf, stream): - assert headers == ( - b"--:\r\n" - b"Content-Type: text/python\r\n" -- b'Content-Disposition: attachments; filename="bug.py"\r\n' -- b"Content-Length: %s" -- b"" % (str(content_length).encode(),) -+ b'Content-Disposition: attachments; filename="bug.py"' - ) - - async def test_reset_content_disposition_header(self, buf, stream): -@@ -1332,8 +1378,6 @@ async def test_reset_content_disposition_header(self, buf, stream): - headers={CONTENT_TYPE: "text/plain"}, - ) - -- content_length = part.size -- - assert CONTENT_DISPOSITION in part.headers - - part.set_content_disposition("attachments", filename="bug.py") -@@ -1346,9 +1390,7 @@ async def test_reset_content_disposition_header(self, buf, stream): - b"--:\r\n" - b"Content-Type: text/plain\r\n" - b"Content-Disposition:" -- b' attachments; filename="bug.py"\r\n' -- b"Content-Length: %s" -- b"" % (str(content_length).encode(),) -+ b' attachments; filename="bug.py"' - ) - - -diff --git a/tests/test_web_functional.py b/tests/test_web_functional.py -index 04fc2e35fd1..ee61537068b 100644 ---- a/tests/test_web_functional.py -+++ b/tests/test_web_functional.py -@@ -48,7 +48,8 @@ def fname(here): - - def new_dummy_form(): - form = FormData() -- form.add_field("name", b"123", content_transfer_encoding="base64") -+ with pytest.warns(DeprecationWarning, match="BytesPayload"): -+ form.add_field("name", b"123", content_transfer_encoding="base64") - return form - - -@@ -447,25 +448,6 @@ async def handler(request): - await resp.release() - - --async def test_POST_DATA_with_content_transfer_encoding(aiohttp_client) -> None: -- async def handler(request): -- data = await request.post() -- assert b"123" == data["name"] -- return web.Response() -- -- app = web.Application() -- app.router.add_post("/", handler) -- client = await aiohttp_client(app) -- -- form = FormData() -- form.add_field("name", b"123", content_transfer_encoding="base64") -- -- resp = await client.post("/", data=form) -- assert 200 == resp.status -- -- await resp.release() -- -- - async def test_post_form_with_duplicate_keys(aiohttp_client) -> None: - async def handler(request): - data = await request.post() -@@ -523,7 +505,8 @@ async def handler(request): - return web.Response() - - form = FormData() -- form.add_field("name", b"123", content_transfer_encoding="base64") -+ with pytest.warns(DeprecationWarning, match="BytesPayload"): -+ form.add_field("name", b"123", content_transfer_encoding="base64") - - app = web.Application() - app.router.add_post("/", handler) -@@ -727,7 +710,7 @@ async def handler(request): - app.router.add_post("/", handler) - client = await aiohttp_client(app) - -- resp = await client.post("/", data={"file": data}) -+ resp = await client.post("/", data={"file": io.BytesIO(data)}) - assert 200 == resp.status - - await resp.release() diff --git a/aiohttp-3.9.3.tar.gz b/aiohttp-3.9.5.tar.gz similarity index 49% rename from aiohttp-3.9.3.tar.gz rename to aiohttp-3.9.5.tar.gz index 863954bb448419a5eaaa849431290b5e9249f95a..d67e85871999c99f4583afd6c039ae1b7679b7fd 100644 Binary files a/aiohttp-3.9.3.tar.gz and b/aiohttp-3.9.5.tar.gz differ diff --git a/python-aiohttp.spec b/python-aiohttp.spec index afa513e4826f449e5128a4376893775169b9c4d9..d705bc249179c9add4e6e5f144e0c001755fc9f7 100644 --- a/python-aiohttp.spec +++ b/python-aiohttp.spec @@ -1,19 +1,14 @@ %global _empty_manifest_terminate_build 0 Name: python-aiohttp -Version: 3.9.3 -Release: 3 +Version: 3.9.5 +Release: 1 Summary: Async http client/server framework (asyncio) License: Apache 2 URL: https://github.com/aio-libs/aiohttp -Source0: %{pypi_source aiohttp} -# https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397 -Patch0: CVE-2024-27306.patch -# https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19 -Patch1: CVE-2024-30251.patch -# https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597 -Patch2: CVE-2024-30251-PR-8332-482e6cdf-backport-3.9-Add-set_content_dispos.patch -# https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866 -Patch3: CVE-2024-30251-PR-8335-5a6949da-backport-3.9-Add-Content-Dispositio.patch +Source0: https://files.pythonhosted.org/packages/04/a4/e3679773ea7eb5b37a2c998e25b017cc5349edf6ba2739d1f32855cfb11b/aiohttp-3.9.5.tar.gz + +BuildRequires: python3-pip python3-wheel +BuildRequires: python3-hatchling python3-hatch-vcs Requires: python3-attrs Requires: python3-charset-normalizer @@ -52,10 +47,10 @@ Development documents and examples for aiohttp. %autosetup -n aiohttp-%{version} -p1 %build -%py3_build +%pyproject_build %install -%py3_install +%pyproject_install install -d -m755 %{buildroot}/%{_pkgdocdir} if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi @@ -84,11 +79,17 @@ mv %{buildroot}/doclist.lst . %files -n python3-aiohttp -f filelist.lst %dir %{python3_sitearch}/* +%{_libdir}/python3.11/site-packages/aiohttp/__pycache__/* %files help -f doclist.lst %{_docdir}/* %changelog +* Wed Jun 26 2024 liuzhilin <liuzhilin@kylinos.cn> - 3.9.5-1 +- update to 3.9.5 +- Fixed regression (from :pr:8280) with adding Content-Disposition to the form-data part after appending to writer -- by :user:Dreamsorcerer/:user:Olegt0rr. +- Added default Content-Disposition in multipart/form-data responses to avoid broken form-data responses -- by :user:Dreamsorcerer. + * Mon May 06 2024 yaoxin <yao_xin001@hoperun.com> - 3.9.3-3 - Fix CVE-2024-30251