diff --git a/CVE-2024-49768.patch b/CVE-2024-49768.patch new file mode 100644 index 0000000000000000000000000000000000000000..272b8a735141d8f1002a455d4d6846fa98ffb971 --- /dev/null +++ b/CVE-2024-49768.patch @@ -0,0 +1,225 @@ +From 6943dcf556610ece2ff3cddb39e59a05ef110661 Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sat, 26 Oct 2024 22:10:36 -0600 +Subject: [PATCH 1/4] Make DummySock() look more like an actual socket + +Fix CVE-2024-49768. +--- + docs/arguments.rst | 14 ++++++ + src/waitress/channel.py | 11 ++++- + tests/test_channel.py | 98 +++++++++++++++++++++++++++++++++++++---- + 3 files changed, 114 insertions(+), 9 deletions(-) + +diff --git a/docs/arguments.rst b/docs/arguments.rst +index f9b9310..20fdfd0 100644 +--- a/docs/arguments.rst ++++ b/docs/arguments.rst +@@ -301,3 +301,17 @@ url_prefix + be stripped of the prefix. + + Default: ``''`` ++ ++channel_request_lookahead ++ Sets the amount of requests we can continue to read from the socket, while ++ we are processing current requests. The default value won't allow any ++ lookahead, increase it above ``0`` to enable. ++ ++ When enabled this inserts a callable ``waitress.client_disconnected`` into ++ the environment that allows the task to check if the client disconnected ++ while waiting for the response at strategic points in the execution and to ++ cancel the operation. ++ ++ Default: ``0`` ++ ++ .. versionadded:: 2.0.0 +\ No newline at end of file +diff --git a/src/waitress/channel.py b/src/waitress/channel.py +index 296a16a..20d0bb1 100644 +--- a/src/waitress/channel.py ++++ b/src/waitress/channel.py +@@ -139,7 +139,7 @@ class HTTPChannel(wasyncore.dispatcher): + # 1. We're not already about to close the connection. + # 2. We're not waiting to flush remaining data before closing the + # connection +- # 3. There are not too many tasks already queued ++ # 3. There are not too many tasks already queued (if lookahead is enabled) + # 4. There's no data in the output buffer that needs to be sent + # before we potentially create a new task. + +@@ -194,6 +194,15 @@ class HTTPChannel(wasyncore.dispatcher): + return False + + with self.requests_lock: ++ # Don't bother processing anymore data if this connection is about ++ # to close. This may happen if readable() returned True, on the ++ # main thread before the service thread set the close_when_flushed ++ # flag, and we read data but our service thread is attempting to ++ # shut down the connection due to an error. We want to make sure we ++ # do this while holding the request_lock so that we can't race ++ if self.will_close or self.close_when_flushed: ++ return False ++ + while data: + if self.request is None: + self.request = self.parser_class(self.adj) +diff --git a/tests/test_channel.py b/tests/test_channel.py +index d86dbbe..bfe083a 100644 +--- a/tests/test_channel.py ++++ b/tests/test_channel.py +@@ -18,7 +18,7 @@ class TestHTTPChannel(unittest.TestCase): + map = {} + inst = self._makeOne(sock, "127.0.0.1", adj, map=map) + inst.outbuf_lock = DummyLock() +- return inst, sock, map ++ return inst, sock.local(), map + + def test_ctor(self): + inst, _, map = self._makeOneWithMap() +@@ -303,7 +303,7 @@ class TestHTTPChannel(unittest.TestCase): + inst.total_outbufs_len = len(inst.outbufs[0]) + inst.adj.send_bytes = 1 + inst.adj.outbuf_high_watermark = 2 +- sock.send = lambda x: False ++ sock.remote.send = lambda x: False + inst.will_close = False + inst.last_activity = 0 + result = inst.handle_write() +@@ -327,7 +327,7 @@ class TestHTTPChannel(unittest.TestCase): + + def test__flush_some_full_outbuf_socket_returns_zero(self): + inst, sock, map = self._makeOneWithMap() +- sock.send = lambda x: False ++ sock.remote.send = lambda x: False + inst.outbufs[0].append(b"abc") + inst.total_outbufs_len = sum(len(x) for x in inst.outbufs) + result = inst._flush_some() +@@ -732,11 +732,12 @@ class TestHTTPChannelLookahead(TestHTTPChannel): + ) + return [body] + +- def _make_app_with_lookahead(self): ++ def _make_app_with_lookahead(self, recv_bytes=8192): + """ + Setup a channel with lookahead and store it and the socket in self + """ + adj = DummyAdjustments() ++ adj.recv_bytes = recv_bytes + adj.channel_request_lookahead = 5 + channel, sock, map = self._makeOneWithMap(adj=adj) + channel.server.application = self.app_check_disconnect +@@ -828,13 +829,65 @@ class TestHTTPChannelLookahead(TestHTTPChannel): + self.assertEqual(data.split("\r\n")[-1], "finished") + self.assertEqual(self.request_body, b"x") + ++ def test_lookahead_bad_request_drop_extra_data(self): ++ """ ++ Send two requests, the first one being bad, split on the recv_bytes ++ limit, then emulate a race that could happen whereby we read data from ++ the socket while the service thread is cleaning up due to an error ++ processing the request. ++ """ ++ ++ invalid_request = [ ++ "GET / HTTP/1.1", ++ "Host: localhost:8080", ++ "Content-length: -1", ++ "", ++ ] ++ ++ invalid_request_len = len("".join([x + "\r\n" for x in invalid_request])) ++ ++ second_request = [ ++ "POST / HTTP/1.1", ++ "Host: localhost:8080", ++ "Content-Length: 1", ++ "", ++ "x", ++ ] ++ ++ full_request = invalid_request + second_request ++ ++ self._make_app_with_lookahead(recv_bytes=invalid_request_len) ++ self._send(*full_request) ++ self.channel.handle_read() ++ self.assertEqual(len(self.channel.requests), 1) ++ self.channel.server.tasks[0].service() ++ self.assertTrue(self.channel.close_when_flushed) ++ # Read all of the next request ++ self.channel.handle_read() ++ self.channel.handle_read() ++ # Validate that there is no more data to be read ++ self.assertEqual(self.sock.remote.local_sent, b"") ++ # Validate that we dropped the data from the second read, and did not ++ # create a new request ++ self.assertEqual(len(self.channel.requests), 0) ++ data = self.sock.recv(256).decode("ascii") ++ self.assertFalse(self.channel.readable()) ++ self.assertTrue(self.channel.writable()) ++ ++ # Handle the write, which will close the socket ++ self.channel.handle_write() ++ self.assertTrue(self.sock.closed) ++ ++ data = self.sock.recv(256) ++ self.assertEqual(len(data), 0) + + class DummySock: + blocking = False + closed = False + + def __init__(self): +- self.sent = b"" ++ self.local_sent = b"" ++ self.remote_sent = b"" + + def setblocking(self, *arg): + self.blocking = True +@@ -852,14 +905,43 @@ class DummySock: + self.closed = True + + def send(self, data): +- self.sent += data ++ self.remote_sent += data + return len(data) + + def recv(self, buffer_size): +- result = self.sent[:buffer_size] +- self.sent = self.sent[buffer_size:] ++ result = self.local_sent[:buffer_size] ++ self.local_sent = self.local_sent[buffer_size:] + return result + ++ def local(self): ++ outer = self ++ ++ class LocalDummySock: ++ def send(self, data): ++ outer.local_sent += data ++ return len(data) ++ ++ def recv(self, buffer_size): ++ result = outer.remote_sent[:buffer_size] ++ outer.remote_sent = outer.remote_sent[buffer_size:] ++ return result ++ ++ def close(self): ++ outer.closed = True ++ ++ @property ++ def sent(self): ++ return outer.remote_sent ++ ++ @property ++ def closed(self): ++ return outer.closed ++ ++ @property ++ def remote(self): ++ return outer ++ ++ return LocalDummySock() + + class DummyLock: + notified = False +-- +2.27.0 diff --git a/CVE-2024-49769.patch b/CVE-2024-49769.patch new file mode 100644 index 0000000000000000000000000000000000000000..1c591b365b6bb290e48e50807d39d34a58d3a40b --- /dev/null +++ b/CVE-2024-49769.patch @@ -0,0 +1,401 @@ +From 03cc640fe7106902899f82115c26e37002bca7f1 Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sun, 3 Mar 2024 16:15:51 -0700 +Subject: [PATCH 1/6] HTTPChannel is always created from accept, explicitly set + self.connected to True + +--- + src/waitress/channel.py | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/waitress/channel.py b/src/waitress/channel.py +index eb59dd3..ea019d3 100644 +--- a/src/waitress/channel.py ++++ b/src/waitress/channel.py +@@ -67,8 +67,7 @@ class HTTPChannel(wasyncore.dispatcher): + self.outbuf_lock = threading.Condition() + + wasyncore.dispatcher.__init__(self, sock, map=map) +- +- # Don't let wasyncore.dispatcher throttle self.addr on us. ++ self.connected = True + self.addr = addr + self.requests = [] + +-- +Gitee + + +From 840aebce1c4c1bfd9036f402c1f5d5a4d2f4a1c2 Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sun, 3 Mar 2024 16:16:48 -0700 +Subject: [PATCH 2/6] Assume socket is not connected when passed to + wasyncore.dispatcher + +No longer call getpeername() on the remote socket either, as it is not +necessary for any of the places where waitress requires that self.addr +in a subclass of the dispatcher needs it. + +This removes a race condition when setting up a HTTPChannel where we +accepted the socket, and know the remote address, yet call getpeername() +again which would have the unintended side effect of potentially setting +self.connected to False because the remote has already shut down part of +the socket. + +This issue was uncovered in #418, where the server would go into a hard +loop because self.connected was used in various parts of the code base. +--- + src/waitress/wasyncore.py | 16 ---------------- + 1 file changed, 16 deletions(-) + +diff --git a/src/waitress/wasyncore.py b/src/waitress/wasyncore.py +index 8615557..9794308 100644 +--- a/src/waitress/wasyncore.py ++++ b/src/waitress/wasyncore.py +@@ -297,22 +297,6 @@ class dispatcher: + # get a socket from a blocking source. + sock.setblocking(0) + self.set_socket(sock, map) +- self.connected = True +- # The constructor no longer requires that the socket +- # passed be connected. +- try: +- self.addr = sock.getpeername() +- except OSError as err: +- if err.args[0] in (ENOTCONN, EINVAL): +- # To handle the case where we got an unconnected +- # socket. +- self.connected = False +- else: +- # The socket is broken in some unknown way, alert +- # the user and remove it from the map (to prevent +- # polling of broken sockets). +- self.del_channel(map) +- raise + else: + self.socket = None + +-- +Gitee + + +From 86c680df4e4bdd40c78dec771cddcee059e802c4 Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sun, 3 Mar 2024 16:23:33 -0700 +Subject: [PATCH 3/6] Remove test for getpeername() + +--- + tests/test_wasyncore.py | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/tests/test_wasyncore.py b/tests/test_wasyncore.py +index 55c4019..a8a480a 100644 +--- a/tests/test_wasyncore.py ++++ b/tests/test_wasyncore.py +@@ -1454,17 +1454,6 @@ class Test_dispatcher(unittest.TestCase): + + return dispatcher(sock=sock, map=map) + +- def test_unexpected_getpeername_exc(self): +- sock = dummysocket() +- +- def getpeername(): +- raise OSError(errno.EBADF) +- +- map = {} +- sock.getpeername = getpeername +- self.assertRaises(socket.error, self._makeOne, sock=sock, map=map) +- self.assertEqual(map, {}) +- + def test___repr__accepting(self): + sock = dummysocket() + map = {} +-- +Gitee + + +From 8cba302b1ac08c2874ae179b2af2445e89311bac Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sun, 3 Mar 2024 16:26:22 -0700 +Subject: [PATCH 4/6] Don't exit handle_write early -- even if socket is not + connected + +Calling handle_close() multiple times does not hurt anything, and is +safe. +--- + src/waitress/channel.py | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/src/waitress/channel.py b/src/waitress/channel.py +index ea019d3..3860ed5 100644 +--- a/src/waitress/channel.py ++++ b/src/waitress/channel.py +@@ -91,13 +91,7 @@ class HTTPChannel(wasyncore.dispatcher): + # Precondition: there's data in the out buffer to be sent, or + # there's a pending will_close request + +- if not self.connected: +- # we dont want to close the channel twice +- +- return +- + # try to flush any pending output +- + if not self.requests: + # 1. There are no running tasks, so we don't need to try to lock + # the outbuf before sending +-- +Gitee + + +From 63678e652d912e67621580123c603e37c319d8c4 Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sun, 3 Mar 2024 16:35:39 -0700 +Subject: [PATCH 5/6] Remove code not used by waitress from vendored asyncore + +--- + src/waitress/wasyncore.py | 45 ------------------ + tests/test_wasyncore.py | 96 ++++++++------------------------------- + 2 files changed, 18 insertions(+), 123 deletions(-) + +diff --git a/src/waitress/wasyncore.py b/src/waitress/wasyncore.py +index 9794308..49829f9 100644 +--- a/src/waitress/wasyncore.py ++++ b/src/waitress/wasyncore.py +@@ -378,23 +378,6 @@ class dispatcher: + self.addr = addr + return self.socket.bind(addr) + +- def connect(self, address): +- self.connected = False +- self.connecting = True +- err = self.socket.connect_ex(address) +- if ( +- err in (EINPROGRESS, EALREADY, EWOULDBLOCK) +- or err == EINVAL +- and os.name == "nt" +- ): # pragma: no cover +- self.addr = address +- return +- if err in (0, EISCONN): +- self.addr = address +- self.handle_connect_event() +- else: +- raise OSError(err, errorcode[err]) +- + def accept(self): + # XXX can return either an address pair or None + try: +@@ -556,34 +539,6 @@ class dispatcher: + self.close() + + +-# --------------------------------------------------------------------------- +-# adds simple buffered output capability, useful for simple clients. +-# [for more sophisticated usage use asynchat.async_chat] +-# --------------------------------------------------------------------------- +- +- +-class dispatcher_with_send(dispatcher): +- def __init__(self, sock=None, map=None): +- dispatcher.__init__(self, sock, map) +- self.out_buffer = b"" +- +- def initiate_send(self): +- num_sent = 0 +- num_sent = dispatcher.send(self, self.out_buffer[:65536]) +- self.out_buffer = self.out_buffer[num_sent:] +- +- handle_write = initiate_send +- +- def writable(self): +- return (not self.connected) or len(self.out_buffer) +- +- def send(self, data): +- if self.debug: # pragma: no cover +- self.log_info("sending %s" % repr(data)) +- self.out_buffer = self.out_buffer + data +- self.initiate_send() +- +- + def close_all(map=None, ignore_all=False): + if map is None: # pragma: no cover + map = socket_map +diff --git a/tests/test_wasyncore.py b/tests/test_wasyncore.py +index a8a480a..20f68f6 100644 +--- a/tests/test_wasyncore.py ++++ b/tests/test_wasyncore.py +@@ -1,6 +1,7 @@ + import _thread as thread + import contextlib + import errno ++from errno import EALREADY, EINPROGRESS, EINVAL, EISCONN, EWOULDBLOCK, errorcode + import functools + import gc + from io import BytesIO +@@ -641,62 +642,6 @@ class DispatcherTests(unittest.TestCase): + self.assertTrue(err != "") + + +-class dispatcherwithsend_noread(asyncore.dispatcher_with_send): # pragma: no cover +- def readable(self): +- return False +- +- def handle_connect(self): +- pass +- +- +-class DispatcherWithSendTests(unittest.TestCase): +- def setUp(self): +- pass +- +- def tearDown(self): +- asyncore.close_all() +- +- @reap_threads +- def test_send(self): +- evt = threading.Event() +- sock = socket.socket() +- sock.settimeout(3) +- port = bind_port(sock) +- +- cap = BytesIO() +- args = (evt, cap, sock) +- t = threading.Thread(target=capture_server, args=args) +- t.start() +- try: +- # wait a little longer for the server to initialize (it sometimes +- # refuses connections on slow machines without this wait) +- time.sleep(0.2) +- +- data = b"Suppose there isn't a 16-ton weight?" +- d = dispatcherwithsend_noread() +- d.create_socket() +- d.connect((HOST, port)) +- +- # give time for socket to connect +- time.sleep(0.1) +- +- d.send(data) +- d.send(data) +- d.send(b"\n") +- +- n = 1000 +- +- while d.out_buffer and n > 0: # pragma: no cover +- asyncore.poll() +- n -= 1 +- +- evt.wait() +- +- self.assertEqual(cap.getvalue(), data * 2) +- finally: +- join_thread(t, timeout=TIMEOUT) +- +- + @unittest.skipUnless( + hasattr(asyncore, "file_wrapper"), "asyncore.file_wrapper required" + ) +@@ -839,6 +784,23 @@ class BaseClient(BaseTestHandler): + self.create_socket(family) + self.connect(address) + ++ def connect(self, address): ++ self.connected = False ++ self.connecting = True ++ err = self.socket.connect_ex(address) ++ if ( ++ err in (EINPROGRESS, EALREADY, EWOULDBLOCK) ++ or err == EINVAL ++ and os.name == "nt" ++ ): # pragma: no cover ++ self.addr = address ++ return ++ if err in (0, EISCONN): ++ self.addr = address ++ self.handle_connect_event() ++ else: ++ raise OSError(err, errorcode[err]) ++ + def handle_connect(self): + pass + +@@ -1489,13 +1451,6 @@ class Test_dispatcher(unittest.TestCase): + inst.set_reuse_addr() + self.assertTrue(sock.errored) + +- def test_connect_raise_socket_error(self): +- sock = dummysocket() +- map = {} +- sock.connect_ex = lambda *arg: 1 +- inst = self._makeOne(sock=sock, map=map) +- self.assertRaises(socket.error, inst.connect, 0) +- + def test_accept_raise_TypeError(self): + sock = dummysocket() + map = {} +@@ -1664,21 +1619,6 @@ class Test_dispatcher(unittest.TestCase): + self.assertTrue(sock.closed) + + +-class Test_dispatcher_with_send(unittest.TestCase): +- def _makeOne(self, sock=None, map=None): +- from waitress.wasyncore import dispatcher_with_send +- +- return dispatcher_with_send(sock=sock, map=map) +- +- def test_writable(self): +- sock = dummysocket() +- map = {} +- inst = self._makeOne(sock=sock, map=map) +- inst.out_buffer = b"123" +- inst.connected = True +- self.assertTrue(inst.writable()) +- +- + class Test_close_all(unittest.TestCase): + def _callFUT(self, map=None, ignore_all=False): + from waitress.wasyncore import close_all +-- +Gitee + + +From 9d99c89ae4aa8449313eea210a5ec9f3994a87b2 Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sun, 3 Mar 2024 16:37:12 -0700 +Subject: [PATCH 6/6] When closing the socket, set it to None + +This avoids calling close() twice on the same socket if self.close() or +self.handle_close() is called multiple times +--- + src/waitress/wasyncore.py | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/waitress/wasyncore.py b/src/waitress/wasyncore.py +index 49829f9..f42ee37 100644 +--- a/src/waitress/wasyncore.py ++++ b/src/waitress/wasyncore.py +@@ -436,6 +436,8 @@ class dispatcher: + if why.args[0] not in (ENOTCONN, EBADF): + raise + ++ self.socket = None ++ + # log and log_info may be overridden to provide more sophisticated + # logging and warning methods. In general, log is for 'hit' logging + # and 'log_info' is for informational, warning and error logging. +@@ -486,7 +488,11 @@ class dispatcher: + # handle_expt_event() is called if there might be an error on the + # socket, or if there is OOB data + # check for the error condition first +- err = self.socket.getsockopt(socket.SOL_SOCKET, socket.SO_ERROR) ++ err = ( ++ self.socket.getsockopt(socket.SOL_SOCKET, socket.SO_ERROR) ++ if self.socket is not None ++ else 1 ++ ) + if err != 0: + # we can get here when select.select() says that there is an + # exceptional condition on the socket +-- +Gitee diff --git a/cve-2022-24761.diff b/cve-2022-24761.diff new file mode 100644 index 0000000000000000000000000000000000000000..2745a008c5c23d4595a422518036e5c205588280 --- /dev/null +++ b/cve-2022-24761.diff @@ -0,0 +1,392 @@ +diff -Nru waitress-2.0.0/src/waitress/parser.py waitress-2.0.0.fixed/src/waitress/parser.py +--- waitress-2.0.0/src/waitress/parser.py 2021-03-08 07:24:23.000000000 +0000 ++++ waitress-2.0.0.fixed/src/waitress/parser.py 2022-04-18 08:04:12.173729937 +0000 +@@ -23,6 +23,7 @@ + + from waitress.buffers import OverflowableBuffer + from waitress.receiver import ChunkedReceiver, FixedStreamReceiver ++from waitress.rfc7230 import HEADER_FIELD_RE, ONLY_DIGIT_RE + from waitress.utilities import ( + BadRequest, + RequestEntityTooLarge, +@@ -31,8 +32,6 @@ + find_double_newline, + ) + +-from .rfc7230 import HEADER_FIELD +- + + def unquote_bytes_to_wsgi(bytestring): + return unquote_to_bytes(bytestring).decode("latin-1") +@@ -221,7 +220,7 @@ + headers = self.headers + + for line in lines: +- header = HEADER_FIELD.match(line) ++ header = HEADER_FIELD_RE.match(line) + + if not header: + raise ParsingError("Invalid header") +@@ -314,11 +313,12 @@ + self.connection_close = True + + if not self.chunked: +- try: +- cl = int(headers.get("CONTENT_LENGTH", 0)) +- except ValueError: ++ cl = headers.get("CONTENT_LENGTH", "0") ++ ++ if not ONLY_DIGIT_RE.match(cl.encode("latin-1")): + raise ParsingError("Content-Length is invalid") + ++ cl = int(cl) + self.content_length = cl + + if cl > 0: +diff -Nru waitress-2.0.0/src/waitress/receiver.py waitress-2.0.0.fixed/src/waitress/receiver.py +--- waitress-2.0.0/src/waitress/receiver.py 2021-03-08 07:24:23.000000000 +0000 ++++ waitress-2.0.0.fixed/src/waitress/receiver.py 2022-04-18 08:04:12.173729937 +0000 +@@ -14,6 +14,7 @@ + """Data Chunk Receiver + """ + ++from waitress.rfc7230 import CHUNK_EXT_RE, ONLY_HEXDIG_RE + from waitress.utilities import BadRequest, find_double_newline + + +@@ -110,6 +111,7 @@ + s = b"" + else: + self.chunk_end = b"" ++ + if pos == 0: + # Chop off the terminating CR LF from the chunk + s = s[2:] +@@ -133,20 +135,32 @@ + line = s[:pos] + s = s[pos + 2 :] + self.control_line = b"" +- line = line.strip() + + if line: + # Begin a new chunk. + semi = line.find(b";") + + if semi >= 0: +- # discard extension info. ++ extinfo = line[semi:] ++ valid_ext_info = CHUNK_EXT_RE.match(extinfo) ++ ++ if not valid_ext_info: ++ self.error = BadRequest("Invalid chunk extension") ++ self.all_chunks_received = True ++ ++ break ++ + line = line[:semi] +- try: +- sz = int(line.strip(), 16) # hexadecimal +- except ValueError: # garbage in input +- self.error = BadRequest("garbage in chunked encoding input") +- sz = 0 ++ ++ if not ONLY_HEXDIG_RE.match(line): ++ self.error = BadRequest("Invalid chunk size") ++ self.all_chunks_received = True ++ ++ break ++ ++ # Can not fail due to matching against the regular ++ # expression above ++ sz = int(line, 16) # hexadecimal + + if sz > 0: + # Start a new chunk. +diff -Nru waitress-2.0.0/src/waitress/rfc7230.py waitress-2.0.0.fixed/src/waitress/rfc7230.py +--- waitress-2.0.0/src/waitress/rfc7230.py 2021-03-08 07:24:23.000000000 +0000 ++++ waitress-2.0.0.fixed/src/waitress/rfc7230.py 2022-04-18 08:04:12.173729937 +0000 +@@ -5,6 +5,9 @@ + + import re + ++HEXDIG = "[0-9a-fA-F]" ++DIGIT = "[0-9]" ++ + WS = "[ \t]" + OWS = WS + "{0,}?" + RWS = WS + "{1,}?" +@@ -25,6 +28,12 @@ + # ; visible (printing) characters + VCHAR = r"\x21-\x7e" + ++# The '\\' between \x5b and \x5d is needed to escape \x5d (']') ++QDTEXT = "[\t \x21\x23-\x5b\\\x5d-\x7e" + OBS_TEXT + "]" ++ ++QUOTED_PAIR = r"\\" + "([\t " + VCHAR + OBS_TEXT + "])" ++QUOTED_STRING = '"(?:(?:' + QDTEXT + ")|(?:" + QUOTED_PAIR + '))*"' ++ + # header-field = field-name ":" OWS field-value OWS + # field-name = token + # field-value = *( field-content / obs-fold ) +@@ -43,8 +52,24 @@ + # Which allows the field value here to just see if there is even a value in the first place + FIELD_VALUE = "(?:" + FIELD_CONTENT + ")?" + +-HEADER_FIELD = re.compile( ++# chunk-ext = *( ";" chunk-ext-name [ "=" chunk-ext-val ] ) ++# chunk-ext-name = token ++# chunk-ext-val = token / quoted-string ++ ++CHUNK_EXT_NAME = TOKEN ++CHUNK_EXT_VAL = "(?:" + TOKEN + ")|(?:" + QUOTED_STRING + ")" ++CHUNK_EXT = ( ++ "(?:;(?P" + CHUNK_EXT_NAME + ")(?:=(?P" + CHUNK_EXT_VAL + "))?)*" ++) ++ ++# Pre-compiled regular expressions for use elsewhere ++ONLY_HEXDIG_RE = re.compile(("^" + HEXDIG + "+$").encode("latin-1")) ++ONLY_DIGIT_RE = re.compile(("^" + DIGIT + "+$").encode("latin-1")) ++HEADER_FIELD_RE = re.compile( + ( + "^(?P" + TOKEN + "):" + OWS + "(?P" + FIELD_VALUE + ")" + OWS + "$" + ).encode("latin-1") + ) ++QUOTED_PAIR_RE = re.compile(QUOTED_PAIR) ++QUOTED_STRING_RE = re.compile(QUOTED_STRING) ++CHUNK_EXT_RE = re.compile(("^" + CHUNK_EXT + "$").encode("latin-1")) +diff -Nru waitress-2.0.0/src/waitress/utilities.py waitress-2.0.0.fixed/src/waitress/utilities.py +--- waitress-2.0.0/src/waitress/utilities.py 2021-03-08 07:24:23.000000000 +0000 ++++ waitress-2.0.0.fixed/src/waitress/utilities.py 2022-04-18 08:04:12.173729937 +0000 +@@ -22,7 +22,7 @@ + import stat + import time + +-from .rfc7230 import OBS_TEXT, VCHAR ++from .rfc7230 import QUOTED_PAIR_RE, QUOTED_STRING_RE + + logger = logging.getLogger("waitress") + queue_logger = logging.getLogger("waitress.queue") +@@ -216,32 +216,10 @@ + return retval + + +-# RFC 5234 Appendix B.1 "Core Rules": +-# VCHAR = %x21-7E +-# ; visible (printing) characters +-vchar_re = VCHAR +- +-# RFC 7230 Section 3.2.6 "Field Value Components": +-# quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE +-# qdtext = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text +-# obs-text = %x80-FF +-# quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) +-obs_text_re = OBS_TEXT +- +-# The '\\' between \x5b and \x5d is needed to escape \x5d (']') +-qdtext_re = "[\t \x21\x23-\x5b\\\x5d-\x7e" + obs_text_re + "]" +- +-quoted_pair_re = r"\\" + "([\t " + vchar_re + obs_text_re + "])" +-quoted_string_re = '"(?:(?:' + qdtext_re + ")|(?:" + quoted_pair_re + '))*"' +- +-quoted_string = re.compile(quoted_string_re) +-quoted_pair = re.compile(quoted_pair_re) +- +- + def undquote(value): + if value.startswith('"') and value.endswith('"'): + # So it claims to be DQUOTE'ed, let's validate that +- matches = quoted_string.match(value) ++ matches = QUOTED_STRING_RE.match(value) + + if matches and matches.end() == len(value): + # Remove the DQUOTE's from the value +@@ -249,7 +227,7 @@ + + # Remove all backslashes that are followed by a valid vchar or + # obs-text +- value = quoted_pair.sub(r"\1", value) ++ value = QUOTED_PAIR_RE.sub(r"\1", value) + + return value + elif not value.startswith('"') and not value.endswith('"'): +diff -Nru waitress-2.0.0/tests/test_functional.py waitress-2.0.0.fixed/tests/test_functional.py +--- waitress-2.0.0/tests/test_functional.py 2021-03-08 07:24:23.000000000 +0000 ++++ waitress-2.0.0.fixed/tests/test_functional.py 2022-04-18 08:04:12.173729937 +0000 +@@ -312,7 +312,7 @@ + self.assertFalse("transfer-encoding" in headers) + + def test_chunking_request_with_content(self): +- control_line = b"20;\r\n" # 20 hex = 32 dec ++ control_line = b"20\r\n" # 20 hex = 32 dec + s = b"This string has 32 characters.\r\n" + expected = s * 12 + header = b"GET / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n" +@@ -332,7 +332,7 @@ + self.assertFalse("transfer-encoding" in headers) + + def test_broken_chunked_encoding(self): +- control_line = b"20;\r\n" # 20 hex = 32 dec ++ control_line = b"20\r\n" # 20 hex = 32 dec + s = b"This string has 32 characters.\r\n" + to_send = b"GET / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n" + to_send += control_line + s + b"\r\n" +@@ -355,8 +355,52 @@ + self.send_check_error(to_send) + self.assertRaises(ConnectionClosed, read_http, fp) + ++ def test_broken_chunked_encoding_invalid_hex(self): ++ control_line = b"0x20\r\n" # 20 hex = 32 dec ++ s = b"This string has 32 characters.\r\n" ++ to_send = b"GET / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n" ++ to_send += control_line + s + b"\r\n" ++ self.connect() ++ self.sock.send(to_send) ++ with self.sock.makefile("rb", 0) as fp: ++ line, headers, response_body = read_http(fp) ++ self.assertline(line, "400", "Bad Request", "HTTP/1.1") ++ cl = int(headers["content-length"]) ++ self.assertEqual(cl, len(response_body)) ++ self.assertIn(b"Invalid chunk size", response_body) ++ self.assertEqual( ++ sorted(headers.keys()), ++ ["connection", "content-length", "content-type", "date", "server"], ++ ) ++ self.assertEqual(headers["content-type"], "text/plain") ++ # connection has been closed ++ self.send_check_error(to_send) ++ self.assertRaises(ConnectionClosed, read_http, fp) ++ ++ def test_broken_chunked_encoding_invalid_extension(self): ++ control_line = b"20;invalid=\r\n" # 20 hex = 32 dec ++ s = b"This string has 32 characters.\r\n" ++ to_send = b"GET / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n" ++ to_send += control_line + s + b"\r\n" ++ self.connect() ++ self.sock.send(to_send) ++ with self.sock.makefile("rb", 0) as fp: ++ line, headers, response_body = read_http(fp) ++ self.assertline(line, "400", "Bad Request", "HTTP/1.1") ++ cl = int(headers["content-length"]) ++ self.assertEqual(cl, len(response_body)) ++ self.assertIn(b"Invalid chunk extension", response_body) ++ self.assertEqual( ++ sorted(headers.keys()), ++ ["connection", "content-length", "content-type", "date", "server"], ++ ) ++ self.assertEqual(headers["content-type"], "text/plain") ++ # connection has been closed ++ self.send_check_error(to_send) ++ self.assertRaises(ConnectionClosed, read_http, fp) ++ + def test_broken_chunked_encoding_missing_chunk_end(self): +- control_line = b"20;\r\n" # 20 hex = 32 dec ++ control_line = b"20\r\n" # 20 hex = 32 dec + s = b"This string has 32 characters.\r\n" + to_send = b"GET / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n" + to_send += control_line + s +diff -Nru waitress-2.0.0/tests/test_parser.py waitress-2.0.0.fixed/tests/test_parser.py +--- waitress-2.0.0/tests/test_parser.py 2021-03-08 07:24:23.000000000 +0000 ++++ waitress-2.0.0.fixed/tests/test_parser.py 2022-04-18 08:04:12.173729937 +0000 +@@ -155,7 +155,7 @@ + b"Transfer-Encoding: chunked\r\n" + b"X-Foo: 1\r\n" + b"\r\n" +- b"1d;\r\n" ++ b"1d\r\n" + b"This string has 29 characters\r\n" + b"0\r\n\r\n" + ) +@@ -188,6 +188,26 @@ + + try: + self.parser.parse_header(data) ++ except ParsingError as e: ++ self.assertIn("Content-Length is invalid", e.args[0]) ++ else: # pragma: nocover ++ self.assertTrue(False) ++ ++ def test_parse_header_bad_content_length_plus(self): ++ data = b"GET /foobar HTTP/8.4\r\ncontent-length: +10\r\n" ++ ++ try: ++ self.parser.parse_header(data) ++ except ParsingError as e: ++ self.assertIn("Content-Length is invalid", e.args[0]) ++ else: # pragma: nocover ++ self.assertTrue(False) ++ ++ def test_parse_header_bad_content_length_minus(self): ++ data = b"GET /foobar HTTP/8.4\r\ncontent-length: -10\r\n" ++ ++ try: ++ self.parser.parse_header(data) + except ParsingError as e: + self.assertIn("Content-Length is invalid", e.args[0]) + else: # pragma: nocover +diff -Nru waitress-2.0.0/tests/test_receiver.py waitress-2.0.0.fixed/tests/test_receiver.py +--- waitress-2.0.0/tests/test_receiver.py 2021-03-08 07:24:23.000000000 +0000 ++++ waitress-2.0.0.fixed/tests/test_receiver.py 2022-04-18 08:04:12.173729937 +0000 +@@ -1,5 +1,7 @@ + import unittest + ++import pytest ++ + + class TestFixedStreamReceiver(unittest.TestCase): + def _makeOne(self, cl, buf): +@@ -226,6 +228,55 @@ + self.assertEqual(inst.error, None) + + ++class TestChunkedReceiverParametrized: ++ def _makeOne(self, buf): ++ from waitress.receiver import ChunkedReceiver ++ ++ return ChunkedReceiver(buf) ++ ++ @pytest.mark.parametrize( ++ "invalid_extension", [b"\n", b"invalid=", b"\r", b"invalid = true"] ++ ) ++ def test_received_invalid_extensions(self, invalid_extension): ++ from waitress.utilities import BadRequest ++ ++ buf = DummyBuffer() ++ inst = self._makeOne(buf) ++ data = b"4;" + invalid_extension + b"\r\ntest\r\n" ++ result = inst.received(data) ++ assert result == len(data) ++ assert inst.error.__class__ == BadRequest ++ assert inst.error.body == "Invalid chunk extension" ++ ++ @pytest.mark.parametrize( ++ "valid_extension", [b"test", b"valid=true", b"valid=true;other=true"] ++ ) ++ def test_received_valid_extensions(self, valid_extension): ++ # While waitress may ignore extensions in Chunked Encoding, we do want ++ # to make sure that we don't fail when we do encounter one that is ++ # valid ++ buf = DummyBuffer() ++ inst = self._makeOne(buf) ++ data = b"4;" + valid_extension + b"\r\ntest\r\n" ++ result = inst.received(data) ++ assert result == len(data) ++ assert inst.error == None ++ ++ @pytest.mark.parametrize( ++ "invalid_size", [b"0x04", b"+0x04", b"x04", b"+04", b" 04", b" 0x04"] ++ ) ++ def test_received_invalid_size(self, invalid_size): ++ from waitress.utilities import BadRequest ++ ++ buf = DummyBuffer() ++ inst = self._makeOne(buf) ++ data = invalid_size + b"\r\ntest\r\n" ++ result = inst.received(data) ++ assert result == len(data) ++ assert inst.error.__class__ == BadRequest ++ assert inst.error.body == "Invalid chunk size" ++ ++ + class DummyBuffer: + def __init__(self, data=None): + if data is None: diff --git a/python-waitress.spec b/python-waitress.spec index 7191ecdf2c899d4a601c26ed502ff76ad5b1f2e3..2f711f84680e18a773a6c976458247fd8f492483 100644 --- a/python-waitress.spec +++ b/python-waitress.spec @@ -1,12 +1,15 @@ %global _docdir_fmt %{name} Name: python-waitress -Version: 1.1.0 -Release: 5 +Version: 2.0.0 +Release: 1 Summary: A WSGI server for Python 2 and 3 License: ZPLv2.1 URL: https://github.com/Pylons/waitress Source0: https://github.com/Pylons/waitress/archive/v%{version}/waitress-%{version}.tar.gz +Patch0: cve-2022-24761.diff +Patch1: CVE-2024-49768.patch +Patch2: CVE-2024-49769.patch BuildArch: noarch %description @@ -16,22 +19,10 @@ which live in the Python standard library. It runs on CPython on Unix and Windows under Python 2.7+ and Python 3.5+. It is also known to run on PyPy 1.6.0+ on UNIX. It supports HTTP/1.0 and HTTP/1.1. -%package -n python2-waitress -%{?python_provide:%python_provide python2-waitress} -Summary: A WSGI server for Python 2 and 3 -BuildRequires: python2-devel, python2-setuptools, python2-nose, python2-coverage - -%description -n python2-waitress -Waitress is meant to be a production-quality pure-Python WSGI server -with very acceptable performance. It has no dependencies except ones -which live in the Python standard library. It runs on CPython on Unix -and Windows under Python 2.7+ and Python 3.5+. It is also known to run -on PyPy 1.6.0+ on UNIX. It supports HTTP/1.0 and HTTP/1.1. - %package -n python3-waitress %{?python_provide:%python_provide python3-waitress} Summary: A WSGI server for Python 2 and 3 -BuildRequires: python3-devel, python3-setuptools, python3-nose, python3-coverage +BuildRequires: python3-devel, python3-setuptools, python3-coverage %description -n python3-waitress Waitress is meant to be a production-quality pure-Python WSGI server @@ -41,21 +32,14 @@ and Windows under Python 2.7+ and Python 3.5+. It is also known to run on PyPy 1.6.0+ on UNIX. It supports HTTP/1.0 and HTTP/1.1. %prep -%autosetup -n waitress-%{version} +%autosetup -n waitress-%{version} -p1 %build -%py2_build %py3_build %install -%py2_install %py3_install -%files -n python2-waitress -%license COPYRIGHT.txt LICENSE.txt -%doc README.rst CHANGES.txt -%{python2_sitelib}/* - %files -n python3-waitress %license COPYRIGHT.txt LICENSE.txt %doc README.rst CHANGES.txt @@ -63,5 +47,8 @@ on PyPy 1.6.0+ on UNIX. It supports HTTP/1.0 and HTTP/1.1. %{python3_sitelib}/* %changelog +* Sat Nov 9 2024 liningjie - 2.0.0-1 +- update 2.0.0 for fix CVE-2024-49769 + * Thu Feb 13 2020 Ruijun Ge - 1.1.0-5 - init package diff --git a/waitress-1.1.0.tar.gz b/waitress-1.1.0.tar.gz deleted file mode 100644 index 727b2d68c8370dc38ad213255a675bc7c575473d..0000000000000000000000000000000000000000 Binary files a/waitress-1.1.0.tar.gz and /dev/null differ diff --git a/waitress-2.0.0.tar.gz b/waitress-2.0.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..323c320cfb547355e9ef8ae0176d306d591b3717 Binary files /dev/null and b/waitress-2.0.0.tar.gz differ