python3-aiohttp: patch CVE-2025-69228

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69228 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-11 20:48:21 +00:00 · 2026-02-07 11:33:52 +01:00
parent cd71a1e57c
commit ba968dda37
2 changed files with 49 additions and 0 deletions
--- a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69228.patch
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69228.patch
@@ -0,0 +1,48 @@
+From dd79eafcc7ad5429bb769de5fd5c0178e6064be7 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sat, 3 Jan 2026 02:48:45 +0000
+Subject: [PATCH] Enforce client_max_size over entire multipart form (#11889)
+ (#11908)
+
+From: Sam Bull <git@sambull.org>
+
+(cherry picked from commit ed90718fab5d34c127a283e10385f19440df7dd0)
+
+CVE: CVE-2025-69228
+Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ aiohttp/web_request.py       | 2 +-
+ tests/test_web_functional.py | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/aiohttp/web_request.py b/aiohttp/web_request.py
+index d565557..b3d6141 100644
+--- a/aiohttp/web_request.py
+++ b/aiohttp/web_request.py
+@@ -712,9 +712,9 @@ class BaseRequest(MutableMapping[str, Any], HeadersMixin):
+             multipart = await self.multipart()
+             max_size = self._client_max_size
+ 
+            size = 0
+             field = await multipart.next()
+             while field is not None:
+-                size = 0
+                 field_ct = field.headers.get(hdrs.CONTENT_TYPE)
+ 
+                 if isinstance(field, BodyPartReader):
+diff --git a/tests/test_web_functional.py b/tests/test_web_functional.py
+index ee61537..96dcd1c 100644
+--- a/tests/test_web_functional.py
+++ b/tests/test_web_functional.py
+@@ -1641,8 +1641,8 @@ async def test_app_max_client_size(aiohttp_client) -> None:
+     await resp.release()
+ 
+ 
+-async def test_app_max_client_size_adjusted(aiohttp_client) -> None:
+-    async def handler(request):
+async def test_app_max_client_size_adjusted(aiohttp_client: AiohttpClient) -> None:
+    async def handler(request: web.Request) -> web.Response:
+         await request.post()
+         return web.Response(body=b"ok")
+