mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-13 17:39:57 +00:00
Code Issues Projects Releases Wiki Activity

python3-twisted: Fix CVE-2024-41810

Browse Source 
Twisted is an event-based framework for internet applications, supporting Python 3.6+.
The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability.
If application code allows an attacker to control the redirect URL this vulnerability
may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.
This vulnerability is fixed in 24.7.0rc1.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41810

Upstream patch:
https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Soumya Sambu
2025-09-16 18:26:00 +05:30
committed by Gyorgy Sarvari
parent 5c13812501
commit 7ca4d7761b
2 changed files with 111 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch
+109
View File
@@ -0,0 +1,109 @@
From 046a164f89a0f08d3239ecebd750360f8914df33 Mon Sep 17 00:00:00 2001
From: Adi Roiban <adiroiban@gmail.com>
Date: Mon Jul 29 14:28:03 2024 +0100
Subject: [PATCH] Merge commit from fork
Added HTML output encoding the "URL" parameter of the "redirectTo" function
CVE: CVE-2024-41810
Upstream-Status: Backport [https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33]
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
src/twisted/web/_template_util.py | 2 +-
src/twisted/web/newsfragments/12263.bugfix | 1 +
src/twisted/web/newsfragments/9839.bugfix | 1 +
src/twisted/web/test/test_util.py | 39 +++++++++++++++++++++-
4 files changed, 41 insertions(+), 2 deletions(-)
create mode 100644 src/twisted/web/newsfragments/12263.bugfix
create mode 100644 src/twisted/web/newsfragments/9839.bugfix
diff --git a/src/twisted/web/_template_util.py b/src/twisted/web/_template_util.py
index bd081bd..3fb56e5 100644
--- a/src/twisted/web/_template_util.py
+++ b/src/twisted/web/_template_util.py
@@ -92,7 +92,7 @@ def redirectTo(URL: bytes, request: IRequest) -> bytes:
</body>
</html>
""" % {
- b"url": URL
+ b"url": escape(URL.decode("utf-8")).encode("utf-8")
}
return content
diff --git a/src/twisted/web/newsfragments/12263.bugfix b/src/twisted/web/newsfragments/12263.bugfix
new file mode 100644
index 0000000..b3982ca
--- /dev/null
+++ b/src/twisted/web/newsfragments/12263.bugfix
@@ -0,0 +1 @@
+twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2). The issue is being tracked with CVE-2024-41810.
\ No newline at end of file
diff --git a/src/twisted/web/newsfragments/9839.bugfix b/src/twisted/web/newsfragments/9839.bugfix
new file mode 100644
index 0000000..1e2e7f7
--- /dev/null
+++ b/src/twisted/web/newsfragments/9839.bugfix
@@ -0,0 +1 @@
+twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810).
diff --git a/src/twisted/web/test/test_util.py b/src/twisted/web/test/test_util.py
index 996b0d0..87282ce 100644
--- a/src/twisted/web/test/test_util.py
+++ b/src/twisted/web/test/test_util.py
@@ -5,7 +5,6 @@
Tests for L{twisted.web.util}.
"""
-
import gc
from twisted.internet import defer
@@ -64,6 +63,44 @@ class RedirectToTests(TestCase):
targetURL = "http://target.example.com/4321"
self.assertRaises(TypeError, redirectTo, targetURL, request)
+ def test_legitimateRedirect(self):
+ """
+ Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation
+ """
+ request = DummyRequest([b""])
+ html = redirectTo(b"https://twisted.org/", request)
+ expected = b"""
+<html>
+ <head>
+ <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/\">
+ </head>
+ <body bgcolor=\"#FFFFFF\" text=\"#000000\">
+ <a href=\"https://twisted.org/\">click here</a>
+ </body>
+</html>
+"""
+ self.assertEqual(html, expected)
+
+ def test_maliciousRedirect(self):
+ """
+ Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body
+ """
+ request = DummyRequest([b""])
+ html = redirectTo(
+ b'https://twisted.org/"><script>alert(document.location)</script>', request
+ )
+ expected = b"""
+<html>
+ <head>
+ <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/&quot;&gt;&lt;script&gt;alert(document.location)&lt;/script&gt;\">
+ </head>
+ <body bgcolor=\"#FFFFFF\" text=\"#000000\">
+ <a href=\"https://twisted.org/&quot;&gt;&lt;script&gt;alert(document.location)&lt;/script&gt;\">click here</a>
+ </body>
+</html>
+"""
+ self.assertEqual(html, expected)
+
class ParentRedirectTests(SynchronousTestCase):
"""
--
2.40.0
meta-python/recipes-devtools/python/python3-twisted_22.2.0.bb
+2 -1
View File
@@ -12,7 +12,8 @@ SRC_URI[sha256sum] = "57f32b1f6838facb8c004c89467840367ad38e9e535f8252091345dba5
PYPI_PACKAGE = "Twisted"
SRC_URI += "file://CVE-2024-41671-0001.patch \
file://CVE-2024-41671-0002.patch"
file://CVE-2024-41671-0002.patch \
file://CVE-2024-41810.patch"
inherit pypi python_setuptools_build_meta