python3-werkzeug: fix for patch-fuzz

Modified the CVE-2023-23934.patch to fix the patch-fuzz. Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-02-02 22:30:26 +00:00 · 2023-06-29 16:36:08 +00:00
parent 297bc1cc64
commit d8acec2e84
1 changed files with 18 additions and 17 deletions
--- a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
+++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
@@ -1,4 +1,4 @@
-From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001
+From db1457abec7fe27148673f5f8bfdf5c52eb7f29f Mon Sep 17 00:00:00 2001
 From: David Lord <davidism@gmail.com>
 Date: Wed, 10 May 2023 11:33:18 +0000
 Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q
@@ -17,26 +17,26 @@ Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/cf275f42ac

 Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
 ---
- CHANGES.rst               |  4 ++++
+ CHANGES.rst               |  3 +++
 src/werkzeug/_internal.py | 13 +++++++++----
 src/werkzeug/http.py      |  4 ----
 tests/test_http.py        |  4 +++-
- 4 files changed, 16 insertions(+), 9 deletions(-)
+ 4 files changed, 15 insertions(+), 9 deletions(-)

 diff --git a/CHANGES.rst b/CHANGES.rst
-index a351d7c..23505d3 100644
+index 6e809ba..13ef75b 100644
 --- a/CHANGES.rst
 +++ b/CHANGES.rst
-@@ -1,5 +1,9 @@
- .. currentmodule:: werkzeug
-
+@@ -4,6 +4,9 @@
+     ``RequestEntityTooLarge`` exception is raised on parsing. This mitigates a DoS
+     attack where a larger number of form/file parts would result in disproportionate
+     resource use.
 +-   A cookie header that starts with ``=`` is treated as an empty key and discarded,
 +    rather than stripping the leading ``==``.
 +
-+
+ 
 Version 2.1.1
 -------------
-
 diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
 index a8b3523..d6290ba 100644
 --- a/src/werkzeug/_internal.py
@@ -55,14 +55,14 @@ index a8b3523..d6290ba 100644
     i = 0
     n = len(b)
 +    b += b";"
-
+ 
     while i < n:
 -        match = _cookie_re.search(b + b";", i)
 +        match = _cookie_re.match(b, i)
 +
         if not match:
             break
-
+ 
 -        key = match.group("key").strip()
 -        value = match.group("val") or b""
         i = match.end(0)
@@ -70,11 +70,11 @@ index a8b3523..d6290ba 100644
 +
 +        if not key:
 +            continue
-
+ 
 +        value = match.group("val") or b""
         yield key, _cookie_unquote(value)
-
-
+ 
+ 
 diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
 index 9369900..ae133e3 100644
 --- a/src/werkzeug/http.py
@@ -89,7 +89,7 @@ index 9369900..ae133e3 100644
 -
             val_str = _to_str(val, charset, errors, allow_none_charset=True)
             yield key_str, val_str
-
+ 
 diff --git a/tests/test_http.py b/tests/test_http.py
 index 5936bfa..59cc179 100644
 --- a/tests/test_http.py
@@ -110,7 +110,8 @@ index 5936bfa..59cc179 100644
             '"__Secure-c"': "d",
 +            "__Host-eq": "good",
         }
-
+ 
     def test_dump_cookie(self):
--
+-- 
 2.40.0
+